Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can I re-route internet traffic for site-to-site VPNs terminating on one ASA out through a different ASA?

This may sound like a strange thing to want to do in the first place but please bear with me!  Here is the scenario:

I have an ASA (ASA A) in my datacentre connected to ISP A.  I have a number of remote sites (also connected to ISP A) and with IPSEC VPN connections to the datacentre terminating on ASA A.  At the moment, the remote sites are configured to split-tunnel i.e. datacentre traffic sent through the IPSEC VPN tunnel, internet traffic sent direct to the internet through each site's individual ADSL connection (via ISP A)

I also have another ASA (ASA B) in my datacentre connected to ISP B.  Is it possible for me to reroute internet traffic from these remote sites (or at least traffic to a few specific internet addresses) out through ASA B and the connection to ISP B?  If so, how can this be achieved?


 Remote Site 1 Subnet 10.100.1.0/24

 Datacentre Inside Subnet 10.16.0.0/16
 
 ASA A - Inside 10.16.0.5
 ASA B - Inside 10.16.0.10

 Internet Site 1 - 8.8.8.8
 Internet Site 2 - 8.8.4.4


I've tried the following at the Remote Site 1:

Defined interesting traffic for VPN tunnel to include traffic to the internet sites i.e.:

ip access-list extended dc-vpn
permit ip 10.100.1.0 0.0.0.255 10.16.0.0 0.0.255.255
permit ip 10.100.1.0 0.0.0.255 host 8.8.8.8
permit ip 10.100.1.0 0.0.0.255 host 8.8.4.4

Configured "no-nat" ACL on Remote site router NOT to NAT traffic to these internet sites (because instead it will be NAT'd when it goes out through ASA B's internet connection)

ip access-list extended no-nat
deny ip 10.100.1.0 0.0.0.255 10.16.0.0 0.0.255.255
deny ip 10.100.1.0 0.0.0.255 host 8.8.8.8
deny ip 10.100.1.0 0.0.0.255 host 8.8.4.4
permit ip 10.100.1.0 0.0.0.255 any
(all other internet traffic "split-tunneled" and sent through site's ADSL internet connection)

route-map nonat permit 10
 match ip address no-nat
ip nat inside source route-map nonat interface Dialer0 overload


on ASA A, I set up a route statement to say those internet sites can be found via the "inside" and ASA B:

route inside 8.8.8.8 255.255.255.255 10.16.0.10 1
route inside 8.8.4.4 255.255.255.255 10.16.0.10 1

On ASA B, I set up a translation for traffic from the ASA A remote sites to get to the internet sites i.e. traffic from remote site 1 (10.100.1.0/24) should be translated to the public IP 2.2.2.7 for communications with the internet sites 8.8.4.4 and 8.8.8.8:

object network obj-remote-site1
subnet 10.100.1.0 255.255.255.0
!
object network obj-internet-trans
host 2.2.2.7
!
object network obj-internet-site1
host 8.8.8.8
!
object network obj-internet-site2
host 8.8.4.4
!
nat (outside,outside) source dynamic obj-remote-site1 obj-internet-trans destination static obj-internet-site1 obj-internet-site1
!
nat (outside,outside) source dynamic obj-remote-site1 obj-internet-trans destination static obj-internet-site2 obj-internet-site2

 

But this has not worked (as far as I can tell, the traffic to these internet sites is being sent by the remote site across the VPN tunnel to the datacentre but then goes no further i.e. it is not being sent out ASA B and the internet connection to ISP B)

I've included a diagram to help illustrate the set-up.

The reason I want to be able to do this is that we have had problems recently with ISP A's internet transit.  Our connectivity between DC and remote sites has remained up but they have had intermittent connectivity problems with the internet due to ISP A's internet transit problems.  I thought that a workaround might be to redirect the more critical internet traffic via the ASA connected to ISP B, which hasn't been suffering the same problems.

Can anyone advise a) if this is actually achievable and, if so, what I need to configure to achieve it?

 

844
Views
0
Helpful
0
Replies