Can I re-route internet traffic for site-to-site VPNs terminating on one ASA out through a different ASA?
This may sound like a strange thing to want to do in the first place but please bear with me! Here is the scenario:
I have an ASA (ASA A) in my datacentre connected to ISP A. I have a number of remote sites (also connected to ISP A) and with IPSEC VPN connections to the datacentre terminating on ASA A. At the moment, the remote sites are configured to split-tunnel i.e. datacentre traffic sent through the IPSEC VPN tunnel, internet traffic sent direct to the internet through each site's individual ADSL connection (via ISP A)
I also have another ASA (ASA B) in my datacentre connected to ISP B. Is it possible for me to reroute internet traffic from these remote sites (or at least traffic to a few specific internet addresses) out through ASA B and the connection to ISP B? If so, how can this be achieved?
Remote Site 1 Subnet 10.100.1.0/24
Datacentre Inside Subnet 10.16.0.0/16
ASA A - Inside 10.16.0.5 ASA B - Inside 10.16.0.10
Internet Site 1 - 188.8.131.52 Internet Site 2 - 184.108.40.206
I've tried the following at the Remote Site 1:
Defined interesting traffic for VPN tunnel to include traffic to the internet sites i.e.:
ip access-list extended dc-vpn permit ip 10.100.1.0 0.0.0.255 10.16.0.0 0.0.255.255 permit ip 10.100.1.0 0.0.0.255 host 220.127.116.11 permit ip 10.100.1.0 0.0.0.255 host 18.104.22.168
Configured "no-nat" ACL on Remote site router NOT to NAT traffic to these internet sites (because instead it will be NAT'd when it goes out through ASA B's internet connection)
ip access-list extended no-nat deny ip 10.100.1.0 0.0.0.255 10.16.0.0 0.0.255.255 deny ip 10.100.1.0 0.0.0.255 host 22.214.171.124 deny ip 10.100.1.0 0.0.0.255 host 126.96.36.199 permit ip 10.100.1.0 0.0.0.255 any(all other internet traffic "split-tunneled" and sent through site's ADSL internet connection)
route-map nonat permit 10 match ip address no-nat ip nat inside source route-map nonat interface Dialer0 overload
on ASA A, I set up a route statement to say those internet sites can be found via the "inside" and ASA B:
On ASA B, I set up a translation for traffic from the ASA A remote sites to get to the internet sites i.e. traffic from remote site 1 (10.100.1.0/24) should be translated to the public IP 188.8.131.52 for communications with the internet sites 184.108.40.206 and 220.127.116.11:
But this has not worked (as far as I can tell, the traffic to these internet sites is being sent by the remote site across the VPN tunnel to the datacentre but then goes no further i.e. it is not being sent out ASA B and the internet connection to ISP B)
I've included a diagram to help illustrate the set-up.
The reason I want to be able to do this is that we have had problems recently with ISP A's internet transit. Our connectivity between DC and remote sites has remained up but they have had intermittent connectivity problems with the internet due to ISP A's internet transit problems. I thought that a workaround might be to redirect the more critical internet traffic via the ASA connected to ISP B, which hasn't been suffering the same problems.
Can anyone advise a) if this is actually achievable and, if so, what I need to configure to achieve it?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...