Assistance request for corporate L2L VPN solution

Dean Watson · ‎03-30-2011

Hi all,

Got a bit of a conundrum i wanted to share, we are trying to achieve the following:

Branch Office (all traffic) -----> (vpn) -----> (Head Office ASA - DMZ interface) -----> (Head Office TMG) -----> (Head Office ASA - Outside Interface)

So all traffic from a branch office should be sent over a vpn to the headoffice then forwarded to The TMG (Microsoft forefront) which provides logging, filtering and policy application. If the traffic conforms to policy it will be routed via the ASA towads the internet.

So far the thoughts are:

Hairpin routing isn't applicable as we went to send the traffic to the TMG.

We can't set a default route to forward all traffic to the TMG as this would break everything.

Multiple context not possible as no VPN support.

There is no policy based routing on the asa so we can't direct traffic coming from vpn to the TMG.

We have applied PBR on the site router to set the next-hop recursive field on the packet to the TMG IP, but the traffic is not being forwarded via the VPN.

I've snipped out the VPN config below;

crypto isakmp policy 10

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key <site psk> address <HO IP>

crypto ipsec transform-set MySet esp-aes 256 esp-sha-hmac

crypto map l2l-vpn 1 ipsec-isakmp

set peer <HO IP>

set transform-set MySet

match address l2l_list

interface Vlan10

ip address 10.70.5.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map filtered_traffic

ip access-list extended NAT

deny ip 10.70.5.0 0.0.0.255 <Server IP Range>

deny ip 10.70.5.0 0.0.0.255 <DMZ IP Range>

permit ip 10.70.5.0 0.0.0.255 any

ip access-list extended l2l_list

permit ip 10.70.5.0 0.0.0.255 <Server IP Range>

permit ip 10.70.5.0 0.0.0.255 <DMZ IP Range>

ip access-list extended lan_traffic

permit ip 10.70.5.0 0.0.0.255 any

route-map filtered_traffic permit 10

match ip address lan_traffic

set ip next-hop recursive <TMG IP>

Apart from plugging in a Router and using GREoIPSEC does anyone have any ideas on how this could be made to work?

Components are;

Site equipment:

CISCO887M running 15.1.1T2 with advsecurity lic.

Head office equipment:

CISCO ASA5520 firewall pair. running 8.4.1 VPN Plus licence.

Jennifer Halim · ‎03-31-2011

Sorry, a little bit confused on the topology.

Which interface of the ASA do you terminate the VPN on? I believe the VPN is terminated on the outside interface of the ASA which is where the Internet is routed? is that correct? however you would like to push all the VPN traffic towards the TMG which is connected to ASA DMZ interface?

If that is the case, you can configure tunnel default gateway to send all traffic from the VPN tunnel towards the TMG server.

Here is the command for your reference:

route dmz 0.0.0.0 0.0.0.0 tunneled

That will force all traffic from VPN tunnel towards TMG server.

But the question is would the traffic towards the Internet then be initiated from the TMG server itself after being inspected? or the source of the traffic will still be the actual branch office LAN IP?

Dean Watson · ‎03-31-2011

Hi Thanks for your reply,

I've attached a diagram of what we are trying to achieve, I came accross the concept of tunneled routes in the ASA cli config documentation, but didn't realise that they were specifically related to VPN traffic.

The TMG acts as a transparent proxy, so traffic will be routed to the TMG interface on the DMZ network and if allowed will routed from the TMG on a different interface to the ASA to be routed out onto the web.

Would it be better to move the remote offices onto a dedicated interface? The DMZ is also used by web servers, and their traffic does not need to be inspected by the TMG.

Jennifer Halim · ‎04-01-2011

Great, thanks for the diagram, that helps.

So after it has been inspected by the TMG, what would be the source of the web traffic towards the internet? Would it be sourced from the TMG or it would just be sourced from the remote office LAN itself?

Also, how would the return traffic from the internet works? is it supposed to be routed back towards the TMG, or it will go directly back to the remote office LAN?