Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Sending some internet traffic across a tunnel

Probably an easy question for the experts, but I haven't been able to make this work. I have a site-to-site IPsec tunnel between the main office and branch. It terminates on an ASA at the main and on an 880 at the branch. I now have a need to route a specific public host address across the tunnel through the main site's Internet, rather than having the branch Internet route it directly.

I thought the way to handle this would be an explicit static route for the remote host (call it a.b.c.d) via the main peer (let's say it's at w.x.y.z), e.g.

ip route a.b.c.d 225.255.255.255 w.x.y.z

and add a peer crypto map access list entry for remote host:

access-list 10 permit ip 10.5.2.0 0.0.0.255 host a.b.c.d

It seems this is not enough with traffic destined for a.b.c.d still routing through the outside interface. What is the proper way to redirect traffic for this one (or multiple) hosts across the tunnel through the main ASA? What will I need on that end to route the traffic between my 10.5.2 hosts and a.b.c.d?

Thanks!

4 REPLIES

Re: Sending some internet traffic across a tunnel

An interesting one, you need to have the interesting acl that defines the Internet host on both sides of the VPN tunnel. You also need to place this specific host into the no-nat config on both sides.

On the asa side you will need to enable same-security-intra permit interface also, to allow the traffic to leave the outside interface after decryption from the tunnel.

Sent from Cisco Technical Support iPad App

Sending some internet traffic across a tunnel

To begin with, the host route is not required. It all goes out the same interface anyway.

What you need to do is add the traffic to the access list specifying traffic for the vpn.

Likely there now are merely a set of private ranges. Add the public one to this. (extended acl)

In addition to this, also add it to the nat exemption and then you're done.

On the ASA, reverse all acl's and repeat.

regards,

Leo

New Member

Sending some internet traffic across a tunnel

Okay, I'll eliminate the host route. I did have the remote host in address map for the crypto:

access-list 10 permit ip 10.5.2.0 0.0.0.255 host a.b.c.d

but I failed to add the nat exemption. Guess I need:

access-list 130 deny ip 10.5.2.0 0.0.0.255 a.b.c.d 0.0.0.0

in the nat list for the interface.

Sending some internet traffic across a tunnel

What does your nat rule look like?

(why are people always so reluctant with providing their configurations)

Never mind, its a bad world out there so I can understand it but it doesn't make life easier.

276
Views
0
Helpful
4
Replies
CreatePlease login to create content