Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Spoke & Hub topology: Can I Route Internet traffic from a PC at a Spoke site thru the tunnel and NAT it out to the world on the Hub's 5520?

I don't know if this is can be made to work or not, or if it's a mutually excluded NAT configuration that's not possible, but I have an ASA 5520 at my central office site with a 20Mbps fiberoptic Internet feed, and two remote offices with ASA 5505 units connected by DSL or cablemodem, and have finally gotten Site-to-Site "spoke" VPN tunnels up and running with the ability to route Spoke-to-Spoke traffic thru a "hairpin turn" on the Hub Site's 5520.

I have workstation PCs at each of the remote office spoke sites A & B that need to communicate directly with each other to support a small workgroup-style of point-of-sale software that's actually hosted on a PC at remote site A.

PCs at both remote sites also need to be able to communicate with a credit card processing service over the public Internet, and I wish to have the ASA 5505 units at each remote office block all traffic directly NAT'ed from each PC on the respective local LANs from going straight out to the internet over each site's cablemodem or DSL modem. I want to force those PCs to have to NAT their Internet-destined traffic back thru the ASA 5520 located at the home office, over the VPN tunnels. In other words, I want the cablemodem and DSL connections to carry strictly VPN-encrypted traffic back to the home office, and not also behave as NAT routers for the local PCs there.

I can kill the 5505's from doing NAT for the PCs at the remote offices by simply removing the factory default dynamic NAT rule for "any", but then I cannot figure out how to get my central 5520 to perform the NAT which the remote office PC's need  to talk to their credit card processor service over the Internet without breaking the "NAT-exempt" configs needed for the spoke-to-spoke VPN traffic to work. If I try to put a static or dynamic NAT entry for a remote office PC on my central ASA 5520, it breaks the VPN tunnel for that particular PC.

Is what I wish to accomplish even possible with the ASA's? 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Spoke & Hub topology: Can I Route Internet traffic from a PC

Hi Neal,

Yes this is absolutely possible!! below is a lost of things you will need to do:

1) Make sure on both the ASA 5505s, you send ALL traffic from local LAN through the VPN.

2) As Andrew mentioned, have the command "same-security-traffic permit intra-interface" on the ASA 5520.

3) You do not need to have a proxy server configured though that also is a good solution. But to get it working without it, assuming the remote ASA 5505 subnets are 192.168.1.0/24 and 192.168.2.0/24, add the below config lines to the ASA 5520:

nat (outside) 1 192.168.1.0 255.255.255.0

nat (outside) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

Please note that the id 1 and the interface can be replaced according to the config you already have in place in the ASA 5520.

I am not sure what kind of NAT exemptions are causing issues for you but if you can post a sanitized config from one of your ASA 5505 and the ASA 5520, i can make suggestions regarding the exact config.

Let me know if this helps!!

Thanks and regards,

Prapanch

4 REPLIES

Re: Spoke & Hub topology: Can I Route Internet traffic from a PC

Simply put - yes this is possible, a couple of simple ways:-

1) install a proxy server at the HUB site, configure the PC browesers to use the proxy

2) Encrypt ALL traffic not local to the remote sites, to be sent to the Hub.  Then allow "same securituy-interface traffic"

You will need to pay special attention to:-

1) IP routes

2) NAT ( pay BIG attention to this)

HTH>

Cisco Employee

Re: Spoke & Hub topology: Can I Route Internet traffic from a PC

Hi Neal,

Yes this is absolutely possible!! below is a lost of things you will need to do:

1) Make sure on both the ASA 5505s, you send ALL traffic from local LAN through the VPN.

2) As Andrew mentioned, have the command "same-security-traffic permit intra-interface" on the ASA 5520.

3) You do not need to have a proxy server configured though that also is a good solution. But to get it working without it, assuming the remote ASA 5505 subnets are 192.168.1.0/24 and 192.168.2.0/24, add the below config lines to the ASA 5520:

nat (outside) 1 192.168.1.0 255.255.255.0

nat (outside) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

Please note that the id 1 and the interface can be replaced according to the config you already have in place in the ASA 5520.

I am not sure what kind of NAT exemptions are causing issues for you but if you can post a sanitized config from one of your ASA 5505 and the ASA 5520, i can make suggestions regarding the exact config.

Let me know if this helps!!

Thanks and regards,

Prapanch

New Member

Re: Spoke & Hub topology: Can I Route Internet traffic from a PC

Finally got it working.

I had to first add a destination "any" to the cryptomap acls on the 5505's  and then add explicit inside and outside incoming rules to the firewall access rules on the 5520 for the remote site PCs and the credit card server out on the Internet.

The credit card software is not proxy-aware (it ain't browser-based) so a proxy does no good for that.

My 5520's config file is HUGE and it would take a very long time to make a sanitized copy, so I have to decline that,

Cisco Employee

Re: Spoke & Hub topology: Can I Route Internet traffic from a PC

Hi Neal,

Glad to know it worked!

Cheers,

Prapanch

906
Views
0
Helpful
4
Replies
CreatePlease to create content