Forcing all traffic through Site to Site VPN tunnel

Unanswered Question
Nov 15th, 2010

I have a ASA5510 at HQ and 5505's at several remote locations. We have site to site vpn tunnels connecting all of the branch offices to HQ. Currently all of these sites come through the tunnel to access network shares and servers on our internal network, but they all go out the local ISP for general internet traffic. We would like to configure these remote sites to come through HQ to get to the internet so that they can be run through a Barracuda Web Filter to keep them from going to undesirable sites.

I have been searching for a sample configuration, but have been unsuccessful. Most of the configurations that I have done on our firewalls has been using examples of configs on existing firewalls, but we have none setup in this fashion. Here is a copy of one of my configurations that I would like to change. Any help would be greatly appreciated.

: Saved

:

ASA Version 8.2(2)

!

hostname *****

domain-name *****

enable password jWqsgNMJ79HBTl6H encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.121.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 74.172.112.58 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa822-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name bisfrucon.com

access-list VPN-Client-Splittunnel extended permit ip 192.168.121.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list VPN-Client-Splittunnel extended permit ip 192.168.121.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.121.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.121.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list OUTSIDE extended permit ip any any

access-list OUTSIDE extended permit icmp any any

access-list outside_2_cryptomap extended permit ip 192.168.121.0 255.255.255.0 192.168.102.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.121.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list outside_cryptomap_3 extended permit ip 192.168.121.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp any any inactive

pager lines 24

logging enable

logging buffer-size 1024000

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 74.172.112.57 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

reval-period 36000

sq-period 300

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 63.85.175.242 255.255.255.255 outside

http 192.168.121.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 63.85.175.242

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 2 set security-association lifetime seconds 28800

crypto map outside_map 2 set security-association lifetime kilobytes 4608000

crypto map outside_map 3 match address outside_cryptomap_3

crypto map outside_map 3 set peer 63.85.175.242

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet 192.168.121.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.121.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd address 192.168.121.75-192.168.121.85 inside

dhcpd dns 192.168.100.100 205.152.37.23 interface inside

dhcpd domain bisfrucon.com interface inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec

nac-settings value DfltGrpPolicy-nac-framework-create

webvpn

svc keepalive none

svc dpd-interval client none

svc dpd-interval gateway none

svc ask enable

customization value DfltCustomization

username bfisadm password QOok3aYXW.WuMS4Q encrypted privilege 15

username ronb password lpXRxMoxgm65fI.6 encrypted privilege 15

tunnel-group 63.85.175.242 type ipsec-l2l

tunnel-group 63.85.175.242 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:2f2ff61b9ff8f3bf5345744970f4b4fe

: end

asdm image disk0:/asdm-625.bin

asdm location 192.168.200.0 255.255.255.0 inside

asdm location 192.168.102.0 255.255.255.0 inside

no asdm history enable

 

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Jon Marshall Mon, 11/15/2010 - 13:31

If you want to force all traffic down the VPN tunnel then modify your crypto-map access-list to send all traffic down the tunnel ie.

access-list outside_2_cryptomap extended permit ip 192.168.121.0 255.255.255.0 192.168.102.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.121.0 255.255.255.0 192.168.200.0 255.255.255.0

to

access-list outside_2_cryptomap extended permit ip 192.168.121.0 255.255.255.0 any

and modify your nat extension access-list as well.

Jon

rebre52 Mon, 11/15/2010 - 14:01

So the following would be replaced like so?

access-list inside_nat0_outbound extended permit ip 192.168.121.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.121.0 255.255.255.0 192.168.200.0 255.255.255.0

replaced with

access-list inside_nat0_outbound extended permit ip 192.168.121.0 255.255.255.0 any

At that is all I need to do?

Jon Marshall Mon, 11/15/2010 - 14:12

rebre52 wrote:

So the following would be replaced like so?

access-list inside_nat0_outbound extended permit ip 192.168.121.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.121.0 255.255.255.0 192.168.200.0 255.255.255.0

replaced with

access-list inside_nat0_outbound extended permit ip 192.168.121.0 255.255.255.0 any

At that is all I need to do?

That is your NAT exemption access-list so that does need modifying but you also need to modify the access-list(s) referenced in your crypto maps. You would modify them the same as above.

Also don't forget you need to modify the access-lists at both ends of the IPSEC tunnel ie. on both devices at either end.

Edit - one other thing i forgot. At the HQ site you will need to setup hairpinning so the traffic can go in and out to the internet.

Jon

rebre52 Mon, 11/15/2010 - 14:19

Thanks so much for your help. I am going to be putting up a new location in a couple of weeks and will use this s

ite as my trial run. Once I have the commands down pat, I will start modifying existing locations.

Actions

Login or Register to take actions

This Discussion

Posted November 15, 2010 at 1:25 PM
Stats:
Replies:4 Avg. Rating:
Views:2172 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446