Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
0
Helpful
4
Replies

Sending some internet traffic across a tunnel

bruce
Level 1
Level 1

‎01-12-2012 10:44 AM - edited ‎03-04-2019 02:53 PM

Probably an easy question for the experts, but I haven't been able to make this work. I have a site-to-site IPsec tunnel between the main office and branch. It terminates on an ASA at the main and on an 880 at the branch. I now have a need to route a specific public host address across the tunnel through the main site's Internet, rather than having the branch Internet route it directly.

I thought the way to handle this would be an explicit static route for the remote host (call it a.b.c.d) via the main peer (let's say it's at w.x.y.z), e.g.

ip route a.b.c.d 225.255.255.255 w.x.y.z

and add a peer crypto map access list entry for remote host:

access-list 10 permit ip 10.5.2.0 0.0.0.255 host a.b.c.d

It seems this is not enough with traffic destined for a.b.c.d still routing through the outside interface. What is the proper way to redirect traffic for this one (or multiple) hosts across the tunnel through the main ASA? What will I need on that end to route the traffic between my 10.5.2 hosts and a.b.c.d?

Thanks!

Labels:
0 Helpful
4 Replies 4

andrew.prince
Level 10
Level 10

‎01-12-2012 11:02 AM

An interesting one, you need to have the interesting acl that defines the Internet host on both sides of the VPN tunnel. You also need to place this specific host into the no-nat config on both sides.

On the asa side you will need to enable same-security-intra permit interface also, to allow the traffic to leave the outside interface after decryption from the tunnel.

Sent from Cisco Technical Support iPad App

0 Helpful

lgijssel
Level 9
Level 9

‎01-12-2012 11:08 AM

To begin with, the host route is not required. It all goes out the same interface anyway.

What you need to do is add the traffic to the access list specifying traffic for the vpn.

Likely there now are merely a set of private ranges. Add the public one to this. (extended acl)

In addition to this, also add it to the nat exemption and then you're done.

On the ASA, reverse all acl's and repeat.

regards,

Leo

0 Helpful

bruce
Level 1
Level 1
In response to lgijssel

‎01-12-2012 12:07 PM

Okay, I'll eliminate the host route. I did have the remote host in address map for the crypto:

access-list 10 permit ip 10.5.2.0 0.0.0.255 host a.b.c.d

but I failed to add the nat exemption. Guess I need:

access-list 130 deny ip 10.5.2.0 0.0.0.255 a.b.c.d 0.0.0.0

in the nat list for the interface.

0 Helpful

lgijssel
Level 9
Level 9
In response to bruce

‎01-12-2012 01:26 PM

What does your nat rule look like?

(why are people always so reluctant with providing their configurations)

Never mind, its a bad world out there so I can understand it but it doesn't make life easier.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card