Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Ipsec and internet traffic

I have request from one of our customers. We have 2 sites lets say site A and Site B connected via an IPSEC VPN on 2 Cisco ASA 5512'S

The customer wants anyone on site A to use site's B internet connection NOT there local internet connection. Can this be done can I send traffic that's destined to the internet to route over the vpn to use site B internet?

This is a strange setup and I'm not sure if this even can be done? any input would be great.

1 REPLY
VIP Purple

As with many requests you

As with many requests you should ask the customer what he want's to achieve with that change. Doing it the proposed way (just sending the internet-traffic through the VPN to send it to the internet) doesn't give you any benefit. There are many alternatives that would give you benefits. Just to name three:

  1. Deploy a ASA-CX on the branch ASA (and potentially the central ASA) and send the internet-traffic directly out. This gives you better web-security and you don't eat up the bandwidth at the central location.
  2. Deploy a local proxy at the main site and configure the branch-PCs to use this proxy which gives you a central control of Web-surfing.
  3. Deploy Cisco Cloud Web Security with connectors on both ASAs. Gives you web-security on both sites and also for all your remote-access-PCs.

If you don't want to spend much extra money, solution 2) would be my preferred. For doing it the customer way (if you are afraid of discussing with the customer), then you have to modify the crypto ACL to include "any" as the destination on the branch-ASA and as a source on the central ASA, allow same-security-traffic intra-interface und configure NAT/PAT from outside to outside.

35
Views
0
Helpful
1
Replies
CreatePlease to create content