topic Re: Forward selected internet traffic to another site in Network Security

Forward selected internet traffic to another site

dylan.su18@gmail.com — Fri, 06 Sep 2019 09:07:35 GMT

Hi,

i am a newbie in ASA so please bear with me,

I have configured a site to site VPN between 2 sites.

Site A can see Site B resources

Site B can see Site A resources

How can i transfer selected internet traffic from Site B to Site A?

I am using ASDM btw.

Re: Forward selected internet traffic to another site

Seb Rupik — Fri, 06 Sep 2019 09:14:55 GMT

Hi there,

the crypto map which has been configured to create the VPN between the two sites will have an associated ACL. Traffic which matches the ACL will be sent via the VPN, if it doesn't it will continue on its way.

If you want to send certain internet traffic via the VPN, assuming the path to the internet goes via the interface with the crypto map applied, then all you need to do is add the required internet host IP/ subnets to the crypto map ACL.

Make sure you also update the crypto map ACL on the other site ASA so that the return traffic will be sent via the VPN.

cheers,

Seb.

Re: Forward selected internet traffic to another site

dylan.su18@gmail.com — Fri, 06 Sep 2019 09:23:47 GMT

Hi,

Thanks for the quick response. I have try adding a external public webpage to the cryptomap. However, it doesn't work at all - in other words, the moment i add it into my cryptomap - I could neither ping it or browser the page. Removing it, will work (because it will just use SiteB internet and reach the page).

I have also added "same-security-traffic permit intra-interface" into SiteA's ASA.

Re: Forward selected internet traffic to another site

Seb Rupik — Fri, 06 Sep 2019 09:31:02 GMT

Have you added the 'reversed' ACL for the traffic flow to SiteA's crypto map?

Have you tried a packet capture on SiteA's outside interface to see if the traffic is leaving and returning on the outside interface?

Can you share the configs of the ASAs?

cheers,

Seb.

Re: Forward selected internet traffic to another site

dylan.su18@gmail.com — Fri, 06 Sep 2019 09:41:40 GMT

Yup, it is checked.

I tried on packet tracer is fine both ways.

Site A can throw the public IP to B

Site B can throw the public IP to A

no issues.

Re: Forward selected internet traffic to another site

bhargavdesai — Fri, 06 Sep 2019 09:44:54 GMT

I think this is to the continues query regarding the INTERNET over the VPN.

Can you share your configuration so that we can have a clear idea.

I think you have done the NAT hair-pining for the VPN.

Make sure you are not doing any NAT on the SITE-2 (Branch) ASA and ACLs are properly configured.

HTH

Bhaggu

Re: Forward selected internet traffic to another site

dylan.su18@gmail.com — Fri, 06 Sep 2019 10:02:06 GMT

Make sure you are not doing any NAT on the SITE-2 (Branch) ASA and ACLs are properly configured.

means?

Dont' create any NAT between SiteB to SiteA?

What kind of ACLs are needed?

I noticed i have no issue sending traffic from Site B to Site A but there is no return traffic.

Site A on the other hand shows nothing received.

Re: Forward selected internet traffic to another site

bhargavdesai — Fri, 06 Sep 2019 10:12:23 GMT

This is what I assume you want to achieve.

You have HQ and Branch both has Internet Connection and are connected through VPN tunnel.

Now you want that on Branch all Internet traffic move through the local Internet but a specific subnet/IP should go through VPN tunnel on the HQ and access the subnet/IP from the HQ's Internet.

Can you confirm this.

If so. You have already established the tunnel and for that you have created an ACL. That ACL on both side should contain two entries on for the PRIVATE IP subnet that you own at HQ and BRANCH. and the subnet/IP that you want to access through the HQ's Internet.

For BRANCH's normal internet access you have created NAT policy. Now you need a one more NAT policy that exempt the particular subnet/IP that you want to access through HQ's Internet.

In HQ you already has the Hair-Pinning NAT setup to take care of the internet acces.

I hope your earlier query ASA site to site VPN no internet access is answered and working, Please rate and select it as answered if you feel.

HTH

Bhaggu

Re: Forward selected internet traffic to another site

dylan.su18@gmail.com — Mon, 09 Sep 2019 01:59:03 GMT

Yup, the tunnel is established. The ACL u refers to is which ACL?

I already have a ACL in Crytomap that have Site A internal LAN <> Site B internal LAN service Any.

For BRANCH's normal internet access you have created NAT policy. Now you need a one more NAT policy that exempt the particular subnet/IP that you want to access through HQ's Internet.

How do i create this?

Re: Forward selected internet traffic to another site

bhargavdesai — Mon, 09 Sep 2019 08:30:50 GMT

For you I have created a Lab You can find the attached files for configuration reference. The topology diagram is also attached for your reference.

I hope you got all your questioned answered by studying the configuration.

In example, from BRANCH's LAN subnet (10.1.2.0/24) any traffic going to 3.3.3.3/32 will go through VPN tunnel.

But, any other Internet destination will be pass through local Internet connection.

Even if you still have query fill free to ask .

HTT

Re: Forward selected internet traffic to another site

dylan.su18@gmail.com — Tue, 10 Sep 2019 03:15:21 GMT

Hi bhargavdesai,

You have been extremely helpful and im grateful for it.

I tried to check my config with yours and it looks similar. I don't know what I am missing...

Re: Forward selected internet traffic to another site

bhargavdesai — Tue, 10 Sep 2019 07:44:47 GMT

I have gone through your partial configuration so will try to guide you through that.

I think your Tunnel is up and you are able to connect to your private network. The problem is you are not able to send traffic for particular public network to other side. I am only looking at NAT and ACL part at the moment.

====

BRANCH SIDE:

Crypto ACL (outside-hk) should look like. (You can always use object/object-group but here i am not using anything to make it clear for you)

access-list outside-hk extended permit ip 192.168.0.0 255.255.255.0 192.167.0.0 255.255.255.0
access-list outside-hk extended permit ip 192.168.0.0 255.255.255.0 host 204.11.35.98

NAT

Now i see there are two internet connections. So your NAT should look something like

FOR NORMAL INTERNET

object-group network OBJ-SHN

nat (inside,outside-isp2) dynamic interface

object-group network OBJ-SHN

nat (inside,outside-isp1) dynamic interface

FOR VPN EXEMPTION

nat (inside,outside-isp2) source static OBJ-SHN OBJ-SHN destination static OBJ-HKN OBJ-HKN no-proxy-arp
nat (inside,outside-isp1) source static OBJ-SHN OBJ-SHN destination static OBJ-HKN OBJ-HKN no-proxy-arp
nat (inside,outside-isp2) source static OBJ-SHN OBJ-SHN destination static www.whatsmyip.org www.whatsmyip.org no-proxy-arp
nat (inside,outside-isp1) source static OBJ-SHN OBJ-SHN destination static www.whatsmyip.org www.whatsmyip.org no-proxy-arp

HQ SIDE:

CRYPTO ACL

access-list outside-SH extended permit ip 192.167.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside-SH extended permit ip host 204.11.35.98 192.168.0.0 255.255.255.0

NAT CONFIGURATION

REMOAVE THIS:

object network www.whatsmyip
nat (outside-isp1,outside-isp1) dynamic interface

ALREADY CONFIGURED:

object network Internal-LAN
nat (inside,outside-isp2) dynamic interface
object network Internal-LAN
nat (inside,outside-isp1) dynamic interface

FOR VPN EXEMPTION-already in-place

nat (inside,outside-isp1) source static OBJ-HKN OBJ-HKN destination static OBJ-SHN OBJ-SHN no-proxy-arp

HAIRPINING NAT

nat (outside-isp1,outside-isp1) source dynamic OBJ-SHN interface
nat (outside-isp2,outside-isp2) source dynamic OBJ-SHN interface

======

Whenever you check at branch, make sure you are using the 204.11.35.98 ip address in the browser and not the www.whatismyip.org in the browser, because it may resolve to some other ip address and you want get the desire result.

Due to partial configuration, This is what I found, If you still having issue please share full sanitised configuration of both-side so that i can help you out.

HTH

Re: Forward selected internet traffic to another site

dylan.su18@gmail.com — Tue, 10 Sep 2019 09:33:02 GMT

BRANCH SIDE: (in place)

Crypto ACL (outside-hk) should look like. (You can always use object/object-group but here i am not using anything to make it clear for you)

access-list outside-hk extended permit ip 192.168.0.0 255.255.255.0 192.167.0.0 255.255.255.0
access-list outside-hk extended permit ip 192.168.0.0 255.255.255.0 host 204.11.35.98

NAT

Now i see there are two internet connections. So your NAT should look something like

FOR NORMAL INTERNET (in place)

object-group network OBJ-SHN

nat (inside,outside-isp2) dynamic interface

FOR VPN EXEMPTION (in place)

HQ SIDE:

CRYPTO ACL(in place)

access-list outside-SH extended permit ip 192.167.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside-SH extended permit ip host 204.11.35.98 192.168.0.0 255.255.255.0

NAT CONFIGURATION

REMOAVE THIS: (Done)

object network www.whatsmyip
nat (outside-isp1,outside-isp1) dynamic interface

ALREADY CONFIGURED: (in place)

object network Internal-LAN
nat (inside,outside-isp2) dynamic interface
object network Internal-LAN
nat (inside,outside-isp1) dynamic interface

FOR VPN EXEMPTION-already in-place (in place)

nat (inside,outside-isp1) source static OBJ-HKN OBJ-HKN destination static OBJ-SHN OBJ-SHN no-proxy-arp

HAIRPINING NAT(in place)

nat (outside-isp1,outside-isp1) source dynamic OBJ-SHN interface
nat (outside-isp2,outside-isp2) source dynamic OBJ-SHN interface

=================================================================

Not working. Can't ping to the IP nor hit the address. I must be missing smth else

Re: Forward selected internet traffic to another site

bhargavdesai — Tue, 10 Sep 2019 10:34:25 GMT

Can you run the packet tracer from BRANCH

packet-tracer input inside icmp 192.168.0.10 8 0 204.11.35.98 detail

The result will make sure the traffic is hitting the VPN or Not. You can run the packet-tracer at HO too.

You can enable logging on ASDM and check on HO that the traffic is reaching the HO or not.

Moreover there are possibility of NAT sequencing issue. For that you can run the "sh nat" command on both side and provide the output.

It will be easier to troubleshoot if you provide sanitised configuration of both side.

HTH