Cisco Support Community
Community Member

How can I route internet traffic over IPSec point to point?

I have a remote site that connects by IPSEC with the end points on a router and ASA. The connection is working fine and the remote site can access my other networks at the main headquarters. The problem is, currently this remote site is accessing the internet via the same link that is supposed to VPN everything back to headquarters. I need to figure out how to VPN their internet traffic to my main headquarters. There's an IPrism behind the firewall to filter web access so it seems like I need to point the remote sites default gateway to my routing device that's behind my Iprism? 

Also, currently the outside interface on the remote site's router does not have an ACL applied, can someone suggest what that ACl should look like? Thank you for your help! Here is a sample configuration of the remote site's router:


crypto isakmp policy 20
(encryption parameters here)
crypto isakmp key password address x.x.x.x (Public ASA IP) no-xauth
crypto ipsec transform-set remotesite (encryption parameters here)
crypto ipsec df-bit clear
crypto map Mainsite 1 ipsec-isakmp
 set peer x.x.x.x (Public ASA IP)
 set transform-set remotesite
 match address 100
interface FastEthernet0/0
 description $ETH-LAN$
 ip address
 ip nbar protocol-discovery
interface FastEthernet0/1
 description ISP Interface
 ip address x.x.x.x (public IP)
 crypto map Mainsite
 crypto ipsec df-bit clear
ip route x.x.x.x (ISP's default gateway)
access-list 100 remark Access list Mainsite Access
access-list 100 permit ip
and other various headquarter networks...

Community Member

Also, I looked into Split

Also, I looked into Split Tunneling but that's not really something I want to do, (although it's being done now by accident). I want all of my internet traffic to go out from the Main site's Iprism instead of going out locally from the remote site.

Mark this is actually a

Mark this is actually a typical requirement for many companies.


There are few creative ways to solve this, in my opinion the easiest way would be to spin a GRE tunnel at the remote site and terminate other end the GRE to another router behind the ASA firewall (since an ASA firewall can not terminate GRE tunnels), once the tunnel is build route the subnet over the GRE tunnel using normal OSPF/EIGRP routing, from that point traffic from the remote site will get routed through your network accordingly.

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog:
Community Member

Thanks for your advice Steve.

Thanks for your advice Steve. Do you think this is the only way to accomplish this? I don't currently have a router in place that I could use but I'll consider it if it's the only way it can be done. Thanks again!

Also just to make sure, you

Also just to make sure, you want the traffic to traverse this iPrism web filtering appliance first right?


When the clients browse the web is their traffic destined for the iPrism appliance and 'proxied' through or are the clients sending thier request to the internet and the iPrism is operating in a layer 2 bridge type mode?

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog:
Community Member

Correct, I'd like the traffic

Correct, I'd like the traffic to traverse the IPrism. The clients are going directly to the Internet and the IPrism just filters their access, not being proxied. 

Hi Mark, you can modify your

Hi Mark, you can modify your crypto acl to permit any any on your remote site which will make all traffic goes through the tunnel. Then on ASA you need to do hairpinning on the outside interface. This will make users on remote site to access internet via HQ. But if you do it this way the internet traffic goes straight to internet without having them filtered by your iPrism. 

What I am not sure about is if there is a way to do it if you want those traffics to be filtered by the iPrism before going out to internet. 


Community Member

Thank you all for the help!

Thank you all for the help! After doing some more research I realized that the internet wasn't actually going out directly at the local link. I did a traceroute which made it appear it was but the remote site's clients are actually using a proxy which is at my main headquarters and being fitlered by the IPrism. I don't know if we should try to transition away from using a proxy, not sure if it's impacting the site's bandwidth. At least now I know how to configure the outside ACL to stop traffic from outside getting in. Thanks again!

CreatePlease to create content