Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 Routing

All,

I've successfully managed to establish a site-to-site VPN using my new ASA device, however I was wondering how I could configure it so that all Internet traffic (0.0.0.0) is sent down the VPN connection and out our main office firewall (at peer end)? This will allow us to control the traffic sent out from the machines behind the ASA.

Regards,

Simon.

9 REPLIES
Hall of Fame Super Blue

Re: ASA 5505 Routing

ICT-Support wrote:

All,

I've successfully managed to establish a site-to-site VPN using my new ASA device, however I was wondering how I could configure it so that all Internet traffic (0.0.0.0) is sent down the VPN connection and out our main office firewall (at peer end)? This will allow us to control the traffic sent out from the machines behind the ASA.

Regards,

Simon.

Simon

Simply modify your crypto map entry for the site to site VPN to catch all traffic ie.

access-list crypto permit ip

Jon

New Member

Re: ASA 5505 Routing

Like this, or on my no-nat access-list?

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any

Regards,

Simon.

Hall of Fame Super Blue

Re: ASA 5505 Routing

ICT-Support wrote:

Like this, or on my no-nat access-list?

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any

Regards,

Simon.

Simon

Both if you don't want to NAT any of the VPN traffic but i was referring to the crypto map access-list.

Jon

Cisco Employee

Re: ASA 5505 Routing

Hello,

You could configure default route with the tunneled option.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/qr.html

#wp1793355

route outside 0.0.0.0 0.0.0.0 tunneled

Then you also need to change your crypto maps accordingly.

Hope this helps.

Regards,

NT

New Member

Re: ASA 5505 Routing

Apologise if this is a stupid question, but currently I have:

route outside 0.0.0.0 0.0.0.0 83.X.X.X 1 which is my ISP gateway.

I understand the above is required so the ASA can talk to the Internet and establish the site-to-site connection.

To force the Internet browsing down the VPN tunnel would I need an additional "route outside 0.0.0.0 0.0.0.0 X.X.X.X tunneled" command? If so, what would the gateway IP be, the remote peer's Internal gateway, or the local ASA internal gateway?

Regards,

Simon.

New Member

Re: ASA 5505 Routing

I've added "any" to my crypto map and nat rule, I've also got: route outside 0.0.0.0 0.0.0.0 83.X.X.X 1 which is my ISP gateway, but it's not sending internet traffic down the VPN tunnel. Does anyone know why?

Simon.

New Member

Re: ASA 5505 Routing

If i tracert www.google.co.uk it tries to go out the public IP of the CISCO, however I would like it to route through the remote peer's internal IP. If I try and route inside 0.0.0.0 nothing happens, but if I try route outside 0.0.0.0 tunneled i cannot then even access my remote VPN network. Has anyone got any ideas how to get this to work?

New Member

Re: ASA 5505 Routing

Still no joy, does anyone have any ideas?

New Member

Re: ASA 5505 Routing

Got some more info, ran a packet trace and get this:

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_in in interface inside
access-list acl_in extended permit ip 10.0.x.x 255.x.x.x any log
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.0.X.X 255.X.X.X outside any
NAT exempt
translate_hits = 296, untranslate_hits = 3
Additional Information:

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

So by my guessing it's not encrypting the packets, any idea why?

1099
Views
0
Helpful
9
Replies