Hub/Spoke Forcing Spoke Internet Traffic thru Tunnel?
I am having some trouble getting this tested in the lab. Essentially I have two PIX 506e setup, one pretending to be the hub, and the other a spoke (outside interfaces on the same network) with a working tunnel between them. I could ping across them without problem (to hosts on each of their internal networks). So I then wanted to tackle the forcing of all traffic from the spoke to the hub, where I'll eventually integrate some traffic monitoring which we don't want to replicate at the spoke site. To do this I changed up the access-list for the tunnel to essentially say src spoke_net to any (and the reverse on the other side). Trouble is it isn't working. I have a feeling traffic from the spoke is going across the tunnel as I can capture IP ESP traffic on the outside interface when pinging IPs on the outside network. Could this be a nat issue, routing issue, or impossible? Any help is appreciated. I've attached configs for both the Hub and Spoke.
Re: Hub/Spoke Forcing Spoke Internet Traffic thru Tunnel?
The trouble you will have is the firewall needs a default-route and it will want to send internet requests to its DG. I know for sure this setup can be done using routers running VRF (Policy-Based Routing should also work). See my attached diagram & configs. Can you get your hands on a pair of ASAs? I believe PBR was added or will be in a future release.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...