How can I route internet traffic over IPSec point to point?
I have a remote site that connects by IPSEC with the end points on a router and ASA. The connection is working fine and the remote site can access my other networks at the main headquarters. The problem is, currently this remote site is accessing the internet via the same link that is supposed to VPN everything back to headquarters. I need to figure out how to VPN their internet traffic to my main headquarters. There's an IPrism behind the firewall to filter web access so it seems like I need to point the remote sites default gateway to my routing device that's behind my Iprism?
Also, currently the outside interface on the remote site's router does not have an ACL applied, can someone suggest what that ACl should look like? Thank you for your help! Here is a sample configuration of the remote site's router:
crypto isakmp policy 20 (encryption parameters here) crypto isakmp key password address x.x.x.x (Public ASA IP) no-xauth ! ! crypto ipsec transform-set remotesite (encryption parameters here) crypto ipsec df-bit clear ! ! crypto map Mainsite 1 ipsec-isakmp set peer x.x.x.x (Public ASA IP) set transform-set remotesite match address 100 ! interface FastEthernet0/0 description $ETH-LAN$ ip address 10.1.1.1 255.255.0.0 ip nbar protocol-discovery ! interface FastEthernet0/1 description ISP Interface ip address x.x.x.x (public IP) 255.255.255.0 crypto map Mainsite crypto ipsec df-bit clear ! ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP's default gateway) ! access-list 100 remark Access list Mainsite Access access-list 100 permit ip 10.1.0.0 0.0.255.255 10.3.0.0 0.0.255.255 and other various headquarter networks...
Also, I looked into Split Tunneling but that's not really something I want to do, (although it's being done now by accident). I want all of my internet traffic to go out from the Main site's Iprism instead of going out locally from the remote site.
Mark this is actually a typical requirement for many companies.
There are few creative ways to solve this, in my opinion the easiest way would be to spin a GRE tunnel at the remote site and terminate other end the GRE to another router behind the ASA firewall (since an ASA firewall can not terminate GRE tunnels), once the tunnel is build route the subnet over the GRE tunnel using normal OSPF/EIGRP routing, from that point traffic from the remote site will get routed through your network accordingly.
Thanks for your advice Steve. Do you think this is the only way to accomplish this? I don't currently have a router in place that I could use but I'll consider it if it's the only way it can be done. Thanks again!
Also just to make sure, you want the traffic to traverse this iPrism web filtering appliance first right?
When the clients browse the web is their traffic destined for the iPrism appliance and 'proxied' through or are the clients sending thier request to the internet and the iPrism is operating in a layer 2 bridge type mode?
Hi Mark, you can modify your crypto acl to permit any any on your remote site which will make all traffic goes through the tunnel. Then on ASA you need to do hairpinning on the outside interface. This will make users on remote site to access internet via HQ. But if you do it this way the internet traffic goes straight to internet without having them filtered by your iPrism.
What I am not sure about is if there is a way to do it if you want those traffics to be filtered by the iPrism before going out to internet.
Thank you all for the help! After doing some more research I realized that the internet wasn't actually going out directly at the local link. I did a traceroute which made it appear it was but the remote site's clients are actually using a proxy which is at my main headquarters and being fitlered by the IPrism. I don't know if we should try to transition away from using a proxy, not sure if it's impacting the site's bandwidth. At least now I know how to configure the outside ACL to stop traffic from outside getting in. Thanks again!
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...