We would like to configure some internet access route through remote site ISP gateway by using IPSec VPN tunnel. For the rest internet traffic keep using local ISP? Would you please teach me how to configure it?
There is nothing very fancy on it. What you need to do is to point the other side network of the VPN to the new ISP connection and put the crypto map on that interface, that will do the trick.
If you have questions, let me know.
Maykol, I dont think you got Hugo's question. Unfortunately, this setup is not that easy.
Hugo, if I understood correctly, you would like to route some traffic thru the VPN so that it uses the ISP gateway at remote site and still use your local ISP for the rest of the internet traffic right?
Unfortunately and since VPN is based on layer 3 information (IP) this cannot be done unless you have the specific IP address of the Internet hosts you would like to route through the tunnel, that would make it hard because big sites keep on changing their public IPs.
Think of google.com for example, if you wanted to route all the traffic going to google.com thru the tunnel you would need to get all the IP addresses for google, then define your crypto ACLs from your internal networks to Google's IP Addresses and vice versa. That traffic will traverse the tunnel and use the remote site's ISP and the rest of the traffic would stay local. Now when Google start changing its IP addresses you will start having problems (not problems per-se but the traffic for Google's new IP address will be routed using your local ISP).
So as you can see since VPN uses IP Address for the definition of the interesting traffic instead of domains, this would be hard to accomplish and maintain.
I hope this helps.
If you know the public IP addresses of the sites you plan to tunnel then you can do a regular Lan to Lan Tunnel and put those public IPs on the interesting traffic for the VPN tunnel.
The commands would depend the hardware that use. What kind of devices are you planning to use to build the VPN tunnel?
It is not help for me with your URL. Our situtation is
Site A: ASA 5510 (Wan IP: 126.96.36.199)
Site B: PC with Cisco VPN Client installed (IPSec tunnel) (Wan IP: 188.8.131.52)
We would to access google.com for example passing through site A (184.108.40.206) by using IPSec tunnel from site B.
For the rest internet traffic, keep using local ISP (220.127.116.11)
If the traffic is site to site tunnels it will work since you WILL know what are the subnets on the other site of the tunnel.
Maykol, again this would work only if you know the Public IP addresses of the sites you want to send thru the VPN tunnel, regardless if it is site to site or VPN Clients.
Lets say that Google's IP Addresses are 18.104.22.168, 22.214.171.124 and 126.96.36.199. Then you would need to send that traffic thru the VPN tunnel.
Your config would look something like this:
access-list split_tun standard permit host 188.8.131.52
access-list split_tun standard permit host 184.108.40.206
access-list split_tun standard permit host 220.127.116.11
group-policy TEST internal
group-policy TEST attributes
split-tunnel-network-list value split_tun
ip local pool TestPool 192.168.100.1-192.168.100.20 mask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
same-security-traffic permit intra-interface
nat (outside) 1 192.168.100.0 255.255.255.0
crypto isakmp enable Outside
crypto isakmp policy 10
crypto isakmp nat-traversal 20
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
tunnel-group TEST ipsec-attributes
It would be very similar to this:
Only that instead of tunneling all the internet traffic you will be doing specific IP addresses. BTW with the commands I included above you are only using the VPN route the internet traffic for "Google". If you also need to access the subnet behind the ASA-VPN server (lets say 10.10.10.0/24) you would need to add something like this:
access-list split_tun standard permit 10.10.10.0 255.255.255.0
access-list nonat permit ip 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-l nonat
I hope this helps. Let us if you have any other questions.
If you have a site to site, you must know the Peer IP address and the networks on the other site to encrypt the traffic, dont you? (Except case with dynamic crypto map, of course this falls in the same category of the RA VPNs because of the use of IP addresses that you dont know)
The trick is to point the peers with a route towards the new link, there is no need to discuss, if you know the networks/hosts in order to do so (Normally on Site to Site you do) thats great, otherwise, it wont work.
Regardless if its VPN Client or site to site you need to know the IP Addresses of the hosts you want to access thru the tunnel (unless you do a full tunnel). Therefore Hugo needs to know the IP addresses of the websites he is planning to route thru the tunnel, that's what I'm trying to say.
If you just use routing over the internet the traffic will go on clear text, plus you cant route the traffic back to the client's private IP Addresses since those are not routable.
If you dont point the private network towards the new ISP, The ASA will use its routing decision towards the old ISP, thus never hitting the crypto map nor encrypting the traffic.
You are totally right... You need to know the IPs... What I am just saying is that it will be easier to do with L2L since normally you do know the IP of the endpoint and the Networks to be encrypted.