We have a Hub and spoke design of ipsec with GRE between 1811 spokes and 7206vxr Head Ends. We have a "single tunnel" meaning no split tunneling is configured so users behind the spoke routers get to the internet all the way thru the core of the network. We accomplish this with gre inside of ipsec using IP's from a /30 on both ends of the gre tunnel and loopback IP's assigned as tunnel source and tunnel destination on each end of the gre tunnel. We assign a route-map under the tunnel interface on the head end side that forces the traffic back thru the core of the network and out of a firewall that is nating all traffic to the internet. Here is an example.
interface Tunnel10111 description Tunnel 1 to Corp Branch ip address 10.4.224.33 255.255.255.252 ip mtu 1400 ip tcp adjust-mss 1360 ip policy route-map UNENCRYPTED keepalive 10 5 tunnel source 10.4.215.2 tunnel destination 10.4.220.9 end
interface Tunnel1 description Tunnel 1 to Corp Data Center1 - HE1 ip address 10.4.224.34 255.255.255.252 ip mtu 1400 ip virtual-reassembly in ip tcp adjust-mss 1360 keepalive 10 5 tunnel source 10.4.220.9 tunnel destination 10.4.215.2 end
Now we have another device that won't correctly allow us to define gre interface with loopback source and destination so we decided to drop the gre and go straight IPsec. Ipsec all works correctly. Problem is now the traffic arrives at the head end and is sent back out of the head ends default route to the internet instead of being forced thru the core to the firewall which should be the only egress interface to the internet.
How do I force the traffic coming from this spoke back thru the core now? I want to use a route-map but what would that look like?
I have applied this to see if I can force the vpn traffic from the spoke to to the appropriate next hop but I get zero matches on my acl. the Gig0/2 interface does not see this traffic. How can I see it?
ip access-list ext To_Internet permit ip 10.4.136.0 0.0.0.255 any permit icmp 10.4.136.0 0.0.0.255 any
route-map 101traffic permit 10 match ip address To_Internet set ip next-hop 10.4.210.14
interface GigabitEthernet0/2 description connected to Corporate Backbone ip address 10.4.210.3 255.255.255.240 ip wccp 12 redirect out ip policy route-map 101traffic ip ospf authentication message-digest ip ospf authentication-key xxxxxxx ip ospf priority 100 duplex full speed 1000 media-type rj45 no negotiation auto no cdp enable
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...