Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5160
Views
10
Helpful
7
Replies

How can I route internet traffic over IPSec point to point?

Mark Mattix
Level 2
Level 2

‎03-13-2014 07:20 AM - edited ‎02-21-2020 07:33 PM

I have a remote site that connects by IPSEC with the end points on a router and ASA. The connection is working fine and the remote site can access my other networks at the main headquarters. The problem is, currently this remote site is accessing the internet via the same link that is supposed to VPN everything back to headquarters. I need to figure out how to VPN their internet traffic to my main headquarters. There's an IPrism behind the firewall to filter web access so it seems like I need to point the remote sites default gateway to my routing device that's behind my Iprism? 

Also, currently the outside interface on the remote site's router does not have an ACL applied, can someone suggest what that ACl should look like? Thank you for your help! Here is a sample configuration of the remote site's router:

 


crypto isakmp policy 20
(encryption parameters here)
crypto isakmp key password address x.x.x.x (Public ASA IP) no-xauth
!
!
crypto ipsec transform-set remotesite (encryption parameters here)
crypto ipsec df-bit clear
!
!
crypto map Mainsite 1 ipsec-isakmp
 set peer x.x.x.x (Public ASA IP)
 set transform-set remotesite
 match address 100
!
interface FastEthernet0/0
 description $ETH-LAN$
 ip address 10.1.1.1 255.255.0.0
 ip nbar protocol-discovery
!
interface FastEthernet0/1
 description ISP Interface
 ip address x.x.x.x (public IP) 255.255.255.0
 crypto map Mainsite
 crypto ipsec df-bit clear
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP's default gateway)
!
access-list 100 remark Access list Mainsite Access
access-list 100 permit ip 10.1.0.0 0.0.255.255 10.3.0.0 0.0.255.255
and other various headquarter networks...

1 person had this problem
Labels:
Preview file
28 KB
0 Helpful
7 Replies 7

Mark Mattix
Level 2
Level 2

‎03-13-2014 07:28 AM

Also, I looked into Split Tunneling but that's not really something I want to do, (although it's being done now by accident). I want all of my internet traffic to go out from the Main site's Iprism instead of going out locally from the remote site.

0 Helpful

SOcchiogrosso
Level 4
Level 4
In response to Mark Mattix

‎03-14-2014 06:11 AM

Mark this is actually a typical requirement for many companies.

 

There are few creative ways to solve this, in my opinion the easiest way would be to spin a GRE tunnel at the remote site and terminate other end the GRE to another router behind the ASA firewall (since an ASA firewall can not terminate GRE tunnels), once the tunnel is build route the subnet over the GRE tunnel using normal OSPF/EIGRP routing, from that point traffic from the remote site will get routed through your network accordingly.

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/

Mark Mattix
Level 2
Level 2
In response to SOcchiogrosso

‎03-14-2014 06:17 AM

Thanks for your advice Steve. Do you think this is the only way to accomplish this? I don't currently have a router in place that I could use but I'll consider it if it's the only way it can be done. Thanks again!

0 Helpful

SOcchiogrosso
Level 4
Level 4
In response to Mark Mattix

‎03-14-2014 04:34 PM

Also just to make sure, you want the traffic to traverse this iPrism web filtering appliance first right?

 

When the clients browse the web is their traffic destined for the iPrism appliance and 'proxied' through or are the clients sending thier request to the internet and the iPrism is operating in a layer 2 bridge type mode?

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/
0 Helpful

Mark Mattix
Level 2
Level 2
In response to SOcchiogrosso

‎03-15-2014 08:16 PM

Correct, I'd like the traffic to traverse the IPrism. The clients are going directly to the Internet and the IPrism just filters their access, not being proxied. 

0 Helpful

Rudy Sanjoko
Level 4
Level 4
In response to Mark Mattix

‎03-14-2014 08:32 AM

Hi Mark, you can modify your crypto acl to permit any any on your remote site which will make all traffic goes through the tunnel. Then on ASA you need to do hairpinning on the outside interface. This will make users on remote site to access internet via HQ. But if you do it this way the internet traffic goes straight to internet without having them filtered by your iPrism. 

What I am not sure about is if there is a way to do it if you want those traffics to be filtered by the iPrism before going out to internet. 

HTH

Mark Mattix
Level 2
Level 2

‎03-18-2014 12:19 PM

Thank you all for the help! After doing some more research I realized that the internet wasn't actually going out directly at the local link. I did a traceroute which made it appear it was but the remote site's clients are actually using a proxy which is at my main headquarters and being fitlered by the IPrism. I don't know if we should try to transition away from using a proxy, not sure if it's impacting the site's bandwidth. At least now I know how to configure the outside ACL to stop traffic from outside getting in. Thanks again!

0 Helpful
Customers Also Viewed These Support Documents