Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Modifying VPN configuration to pass web traffic through tunnel

We've recently had a couple of changes to our network configuration, one of which includes removal of our proxy server at our main site, which has been replaced with a web filtering appliance that is connected to our core switch behind our ASA firewall.  We currently have a remote site connected  to the main site's  ASA (5520) firewall via site to site VPN through a Cisco 860 router.

As it is, it appears that traffic going out to the internet wants to route directly through the public interface on the router rather than using the VPN tunnel.  I've tried a few things but being completely new to router configuration, I'm having trouble getting this to work. 

What I've tried was to add a permit entry to the access list used by the crypto map for any destination address and add a deny entry to the nonat route-map for any destination address:

access-list 101 permit 172.16.54.0 0.0.0.63 any

access-list 110 deny ip 172.16.54.0 0.0.0.63 any

Below is some basic info and our running config as it was before I attempted any changes:

main site gateway/vlan: 172.16.4.1  / 172.16.4.0/255.255.252.0

main site external ip for site-to-site vpn access: 72.10.102.34

remote site gateway/vlan: 172.16.54.1 / 172.16.54.0/255.255.255.192

remote site external ip for site-to-site: 137.99.144.102

~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.08.05 18:19:56 =~=~=~=~=~=~=~=~=~=~=~=

eosvpn02.sa.uconn.edu#show running-configuration        g

Building configuration...

Current configuration : 8849 bytes

!

! Last configuration change at 15:00:54 PCTime Mon Aug 5 2013 by eosadmin

! NVRAM config last updated at 14:52:01 PCTime Mon Aug 5 2013 by eosadmin

! NVRAM config last updated at 14:52:01 PCTime Mon Aug 5 2013 by eosadmin

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname eosvpn02.sa.uconn.edu

!

boot-start-marker

boot system flash c860-universalk9-mz.152-3.T.bin

boot-end-marker

!

!

logging buffered 51200 warnings

--More--         !

--More--         no aaa new-model

--More--         memory-size iomem 10

--More--         clock timezone PCTime -5 0

--More--         clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

--More--         !

--More--         crypto pki trustpoint TP-self-signed-1791480348

--More--          enrollment selfsigned

--More--          subject-name cn=IOS-Self-Signed-Certificate-1791480348

--More--          revocation-check none

--More--          rsakeypair TP-self-signed-1791480348

--More--         !

--More--         !

--More--         crypto pki certificate chain TP-self-signed-1791480348

--More--          certificate self-signed 01

...

--More--           quit

--More--         no ip source-route

--More--         !

--More--         !

--More--         ip dhcp excluded-address 10.10.10.1

--More--         !

--More--         ip dhcp pool ccp-pool

--More--          import all

--More--          network 10.10.10.0 255.255.255.248

--More--          default-router 10.10.10.1

--More--          lease 0 2

--More--         !

--More--         !

--More--         !

--More--         ip inspect name CCP_LOW dns

--More--         ip inspect name CCP_LOW ftp

--More--         ip inspect name CCP_LOW h323

--More--         ip inspect name CCP_LOW sip

--More--         ip inspect name CCP_LOW https

--More--         ip inspect name CCP_LOW icmp

--More--         ip inspect name CCP_LOW imap

--More--         ip inspect name CCP_LOW pop3

--More--         ip inspect name CCP_LOW rcmd

--More--         ip inspect name CCP_LOW realaudio

--More--         ip inspect name CCP_LOW rtsp

--More--         ip inspect name CCP_LOW esmtp

--More--         ip inspect name CCP_LOW sqlnet

--More--         ip inspect name CCP_LOW streamworks

--More--         ip inspect name CCP_LOW tftp

--More--         ip inspect name CCP_LOW tcp

--More--         ip inspect name CCP_LOW udp

--More--         ip inspect name CCP_LOW vdolive

--More--         no ip bootp server

--More--         no ip domain lookup

--More--         ip domain name eosmith.net

--More--         ip cef

--More--         ip auth-proxy max-login-attempts 5

--More--         ip admission max-login-attempts 5

--More--         !

--More--         !

--More--         license ...

--More--         !

--More--         !

--More--         archive

--More--          log config

--More--           hidekeys

--More--         username eosadmin privilege 15 secret ...

--More--         !

--More--         !

--More--         ip tcp synwait-time 10

--More--         ip tftp source-interface Vlan1

--More--         ip ssh time-out 60

--More--         ip ssh authentication-retries 2

--More--         !

--More--         !

--More--         crypto isakmp policy 1

--More--          encr aes 192

--More--          authentication pre-share

--More--          group 2

--More--         crypto isakmp key ... address 72.10.102.34  

--More--         !

--More--         !

--More--         crypto ipsec transform-set asa-set esp-aes 192 esp-sha-hmac

--More--         !

--More--         !

--More--         !

--More--         crypto map asa 10 ipsec-isakmp

--More--          set peer 72.10.102.34

--More--          set transform-set asa-set

--More--          match address 101

--More--         !

--More--         !

--More--         !

--More--         !

--More--         !

--More--         interface Null0

--More--          no ip unreachables

--More--         !

--More--         interface FastEthernet0

--More--          no ip address

--More--         !

--More--         interface FastEthernet1

--More--          no ip address

--More--          shutdown

--More--         !

--More--         interface FastEthernet2

--More--          no ip address

--More--          shutdown

--More--         !

--More--         interface FastEthernet3

--More--          no ip address

--More--          shutdown

--More--         !

--More--         interface FastEthernet4

--More--          description $ETH-WAN$$FW_OUTSIDE$

--More--          ip address 137.99.144.102 255.255.252.0

--More--          ip access-group 103 in

--More--          no ip redirects

--More--          no ip unreachables

--More--          no ip proxy-arp

--More--          ip flow ingress

--More--          ip inspect CCP_LOW out

--More--          ip nat outside

--More--          ip virtual-reassembly in

--More--          ip verify unicast reverse-path

--More--          duplex auto

--More--          speed auto

--More--          crypto map asa

--More--         !

--More--         interface Vlan1

--More--          description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

--More--          ip address 172.16.54.1 255.255.255.192

--More--          ip helper-address 172.16.4.3

--More--          no ip redirects

--More--          no ip unreachables

--More--          no ip proxy-arp

--More--          ip flow ingress

--More--          ip nat inside

--More--          ip virtual-reassembly in

--More--          ip tcp adjust-mss 1300

--More--         !

--More--         ip forward-protocol nd

--More--         ip http server

--More--         ip http access-class 23

--More--         ip http authentication local

--More--         ip http secure-server

--More--         ip http timeout-policy idle 60 life 86400 requests 10000

--More--         !

--More--         ip nat inside source route-map nonat interface FastEthernet4 overload

--More--         ip route 0.0.0.0 0.0.0.0 FastEthernet4 137.99.144.1

--More--         !

--More--         access-list 1 remark HTTP Access-class list

--More--         access-list 1 remark CCP_ACL Category=1

--More--         access-list 1 permit 172.16.54.0 0.0.0.63

--More--         access-list 1 permit 172.16.4.0 0.0.3.255

--More--         access-list 1 deny   any

--More--         access-list 100 remark SDM_ACL Category=128

--More--         access-list 100 permit ip host 255.255.255.255 any

--More--         access-list 100 permit ip 127.0.0.0 0.255.255.255 any

--More--         access-list 101 permit ip 172.16.54.0 0.0.0.63 172.16.4.0 0.0.3.255

--More--         access-list 101 permit icmp 172.16.54.0 0.0.0.63 172.16.4.0 0.0.3.255

--More--         access-list 103 remark auto generated by CCP firewall configuration

--More--         access-list 103 remark CCP_ACL Category=1

--More--         access-list 103 remark Auto generated by CCP for NTP (123) 172.16.4.2

--More--         access-list 103 permit udp host 172.16.4.2 eq ntp host 137.99.144.102 eq ntp

--More--         access-list 103 permit ahp host 72.10.102.34 host 137.99.144.102

--More--         access-list 103 permit esp host 72.10.102.34 host 137.99.144.102

--More--         access-list 103 permit udp host 72.10.102.34 host 137.99.144.102 eq isakmp

--More--         access-list 103 permit udp host 72.10.102.34 host 137.99.144.102 eq non500-isakmp

--More--         access-list 103 deny   ip 172.16.54.0 0.0.0.63 any

--More--         access-list 103 permit icmp any host 137.99.144.102 echo-reply

--More--         access-list 103 permit icmp any host 137.99.144.102 time-exceeded

--More--         access-list 103 permit icmp any host 137.99.144.102 unreachable

--More--         access-list 103 deny   ip 10.0.0.0 0.255.255.255 any

--More--         access-list 103 deny   ip 172.16.0.0 0.15.255.255 any

--More--         access-list 103 deny   ip 192.168.0.0 0.0.255.255 any

--More--         access-list 103 deny   ip 127.0.0.0 0.255.255.255 any

--More--         access-list 103 deny   ip host 255.255.255.255 any

--More--         access-list 103 deny   ip host 0.0.0.0 any

--More--         access-list 103 deny   ip any any log

--More--         access-list 110 deny   ip 172.16.54.0 0.0.0.63 172.16.4.0 0.0.3.255

--More--         access-list 120 deny   ip any any

--More--         no cdp run

--More--         route-map nonat permit 10

--More--          match ip address 110

--More--         !

--More--

298
Views
0
Helpful
0
Replies
CreatePlease to create content