I just not sure of the next step here. I have go a remote office on a Cisco 877 connected to a Cisco ASA over a DSL line. The remote office can connect to all servers etc over the VPN accept for the Internet.
The internet needs to go over the VPN and back out of the ASA's outside.
What do I need to do?
I have done this - but done it via EIGRP distributing a default route to the remote site, and letting my core layer 3 router handle the internet routing.
I think in your topology, you could:-
1) Forward all internet traffic to a proxy server at the ASA end or
2) Forward all the traffic to a layer 3 interface on a router at the ASA end, and that router has a default route pointing back to your ASA?
1.) I have tried Microsofts ISA 2006 proxy server but couldn't get it to work, can you think of another proxy server?
2.) This sounds interesting, can you explain a bit more? All VPN traffic goes to the ASA from the remote site, what cheap router could do this?
3.) I've also heard of the command "ip route 0.0.0.0 0.0.0.0 18.104.22.168 tunnled" but could think on how to use this on the ASA, basically it will forward all VPN traffic to 22.214.171.124.
1) It should not really what "proxy" server you use, but you have to think about the topology. ISA server design best practise, is to use 2 interfaces, and "in" and "out" but that really can cause you issues in routing. In this example I would use a "one legged" approach. The proxy server has an IP address on the LAN and a default gateway to the next hop layer 3 router. That way you can point all remote site web traffic to the proxy server, and the proxy can route back to the remote site and to the internet via 1 interface.
2) You have a "tunnel" interface at the 877 end. You also have a tunnel on the layer 3 device at the ASA end. You configure either OSPF/EIGRP or Static routes to let both tunnels know about the remote end network - and also point internet traffic into the tunnel, this allows the remote end layer 3 router to route to the internet and vice versa.
3) I must admit I have not heard of this command.
I'm thinking option 2 couple be worth trying.
1.) Can you explain a bit more on how I would do this? The only routers I have spare are Cisco 800's or a Cisco 515 pix which I suppose could just do routing. If it works I could buy some thing better like an 1800.
2.) On the remote VPN Cisco 877 router how could I route the traffic it to this other router on the inside of the ASA? All I see on the config is:
ip route 0.0.0.0 0.0.0.0 Dialer1
The below URL will give you hints on GRE tunneling.
And the below will are config examples for PIX/ASA to PIX/ASA VPN's
The first link is for GRE tunnels.
The second link is for VPN tunnels.
There are multiple configuration examples using a variety of equioment.
Is your requirement a real life requirement or are you just wanting to test this in a LAB? What equipment do you have either for the site to site or the LAB?
This is a real setup at my work.
Currently I have all my VPN's and Cisco Client VPN's going through a Cisco Concentrator. Now I have 2 Cisco ASA 5520's in failover mode and want to move these over.
I have setup the Cisco Client VPN's and a site-to-site VPN up on the ASA just to test so I can start to move the other offices over.
Now the site-to-site and Cisco Client VPN on the ASA are now working, however my work request their interent is monitored which it currently is for the LAN and concentrator. It seems the VPN's on the ASA come in on the outside interface then go straight back out on the same interface so the LAN doesn't see this traffic to capture and monitor.
We have a Server on the inside LAN that monitors traffic that goes through it (see diag), it sniffs the traffic in the vlan. The reason why it works on the concentrator is VPN's come in on that then have to go through the LAN to get to the ASA where the Internet is (outside interface) and is captured.
Hope this makes sense, I just can't think how I can get round this, unless I get a consultant in.
I have a similar situation. We have multiple remote sites using 877's and our head end running ASA. If your ASA is running 7.2 or later, you can "HAIRPIN" in and out of the same interface. This way you can route ALL traffic towards the ASA including internet. You can also access other remote sites (if permitted) via the head end ASA. Check some Hairpin configs. This might help you.