Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
4
Replies

Hub/Spoke Forcing Spoke Internet Traffic thru Tunnel?

admin_2
Level 3
Level 3

‎07-17-2008 01:45 PM - edited ‎03-11-2019 06:16 AM

I am having some trouble getting this tested in the lab. Essentially I have two PIX 506e setup, one pretending to be the hub, and the other a spoke (outside interfaces on the same network) with a working tunnel between them. I could ping across them without problem (to hosts on each of their internal networks). So I then wanted to tackle the forcing of all traffic from the spoke to the hub, where I'll eventually integrate some traffic monitoring which we don't want to replicate at the spoke site. To do this I changed up the access-list for the tunnel to essentially say src spoke_net to any (and the reverse on the other side). Trouble is it isn't working. I have a feeling traffic from the spoke is going across the tunnel as I can capture IP ESP traffic on the outside interface when pinging IPs on the outside network. Could this be a nat issue, routing issue, or impossible? Any help is appreciated. I've attached configs for both the Hub and Spoke.

Labels:
0 Helpful
4 Replies 4

Not applicable

‎07-17-2008 01:47 PM

I wish I could upload the attachments... but I keep getting a servlet error from the forums.

0 Helpful

Not applicable
In response to

‎07-17-2008 01:52 PM

0 Helpful

jt3rry
Level 1
Level 1

‎07-24-2008 09:42 AM

The trouble you will have is the firewall needs a default-route and it will want to send internet requests to its DG. I know for sure this setup can be done using routers running VRF (Policy-Based Routing should also work). See my attached diagram & configs. Can you get your hands on a pair of ASAs? I believe PBR was added or will be in a future release.

Preview file
37 KB
0 Helpful

jt3rry
Level 1
Level 1
In response to jt3rry

‎07-24-2008 09:45 AM

actually the diagram shows PBR... but you get the idea. Let me know if you have any questions on the VRF & GRE setup

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card