cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3669
Views
0
Helpful
17
Replies

Internet Access through VPN

Stephen Sisson
Level 1
Level 1

Hello everyone,

I was given a new project to connect three sites as listed in the visio diagram by VPN Site-To-Site using Cisco 5505 ASA’s, we have no trouble doing this.

My company only has internet access from Site_A, my question is can we give Site_B, Site_C internet access from Site_A through the VPN tunnel, represented with the purple lines from Site B/C, if possible can you explain how this is possible.

Thank you

2 Accepted Solutions

Accepted Solutions

Hi,

The configuration I provided only lists some basic configuration examples related to VPN and ACL. Therefore it doesnt have things like basic interface settings, routing, interface ACLs and so on.

Its basically easier to finalize the configuration when we have the actual devices setup.

Are you going to lab all the 3 sites in a lab environment?

- Jouni

View solution in original post

Ok,

I guess we will follow up on this and perhaps look at the lab setup after you have gotten the ASAs?

- Jouni

View solution in original post

17 Replies 17

Yes this is possible.  I am assuming that the VPN connections terminate at the ASAs, and that only 1 interface is being used for internet and the VPN connections, and that each site has a unique IP subnet.

First off all traffic from site B and C needs to be sent through the tunnel.  second you need to enable hairpinning on the ASA5505 at SiteA same-security-traffic permit intra-interface.  You then need to configure NAT for the remote sites so that they are NATed back out the same interface it arrived on and translated toyour public IP. for this configuration I am assuming that your ASAs are running version 8.3 or higher.

object network SITEB_LAN

subnet 10.0.0.0 255.255.255.0

nat (outside,outside) dynamic interface

object network SITEC_LAN

subnet 11.0.0.0 255.255.255.0

nat (outside,outside) dynamic interface

Please rate any helpful posts

--
Please remember to select a correct answer and rate helpful posts

Jouni Forss
VIP Alumni
VIP Alumni

Hi again Stephen,

Are you saying the that there is a dedicated connection through the ISP from the 2 Remote Sites to your Central Site and you are using L2L VPN connections from the Remote Sites to the Central Site to protect the traffic between the sites?

I am just wondering as you say you only have Internet connection on the Central Site?

Or do you rather mean that the Central Site should be the only site through which all of the sites Internet traffic should go even if the remote sites had direct link to the Internet through their local ISP?

Let me know how the actual situation is.

If we are talking about a typical L2L VPN setup from Remote Sites to the Central Site and the requirement is also to run Internet traffic through the L2L VPN connection then the Remote Sites Crypto ACL will basically list the "any" destination network and source as the local network. In the same way the Central Site Crypto ACL will list "any" as the source and the Remote Sites local network as the destination.

And the reason I talk about the "any" is the fact that if you are going to forward all Internet traffic through the L2L VPN then that is pretty much the only real option to define the remote networks (on Internet).

You will also have to make sure that the Central Site is enabled with

same-security-traffic permit intra-interface

Which will enable the connections from Remote Sites to take an U-turn on the Central Site ASA "outside" interface so they can form connections to the Internet.

You will naturally also need a NAT configuration that does NAT between "outside" and "outside" interface on the Central Site ASA since the traffic coming from the clients through L2L VPN will be coming from "outside" and the destination Internet networks are located behind "outside" interface also.

Naturally if you have some configurations already ready and the ASAs are deployed at the sites then we could look at the configurations.

I guess one critical part might be that if your VPN is configured to match traffic to "any" destination network on the Remote Site configurations then if for some reason the L2L VPN doesnt work then no connections will work to the outside networks (that is, if the sites even have a direct link to Internet)

Let me know how the situation is

- Jouni

Hi Jouni, hope all is well my friend.

All three sites have public addressing with WAN access; the reason for using Site A for internet is a management decision, because Site A has a 50 Meg pipe.

The equipment will arrive next week for all three sites, I'm working on the configs for each ASA for the site-to-site VPN, while working on the configs was hoping you know what I need to add, we have this ready to apply when the equipment arrives, allows us to ship the equipment to the remote site.

As you can see we have never done this before to bring WAN traffic back through the LAN VPN site-to-site. I'm still waiting on our ISP to bring the fiber into the MDF room and give the public IP's for the two remote sites.

I have everything we need for Site A our primary location, to include the internet switch, ASA 5505, along with the users.

I'm not sure how to make this work and the more information you give will help very much

Thank you

Hi,

I am just wondering what the reasoning to have all traffic go through the central firewall unless there is something on the Central Site through which every outbound connection should pass through. The traffic from the Remote Sites through the Central Site to the external networks will naturally consume a lot of the bandwith of the Central Site so thats something to consider.

If I were to give partial example configurations for all the 3 sites then the NAT and VPN configurations could look like this (I presume a 8.4 or above software level)

Base Information

  • 3 Sites
  • Central Site = 10.10.10.0/24
  • Remote Site 1 = 10.10.20.0/24
  • Remote Site 2 = 10.10.30.0/24
  • Site 1 Public IP = 1.1.1.1
  • Site 2 Public IP = 2.2.2.2
  • Site 3 Public IP = 3.3.3.3
  • External Interface = outside (on each site)
  • Internal Interface = inside (on each site)

CENTRAL SITE

  • We create ACLs for the Remote Site L2L VPN which define that traffic from "any" source address will/can be forwarded to the Remote Site
  • We configure "object" for the networks and configure NAT0 for the Central to Remote traffic
  • We configure Dynamic PAT for the Remote Sites Internet traffic that comes through L2L VPN
  • We configure L2L VPN

access-list REMOTE-ONE-L2LVPN remark Encryption Domain for Remote Site 1

access-list REMOTE-ONE-L2LVPN permit ip any 10.10.20.0 255.255.255.0

access-list REMOTE-TWO-L2LVPN remark Encryption Domain for Remote Site 2

access-list REMOTE-TWO-L2LVPN permit ip any 10.10.30.0 255.255.255.0

object network CENTRAL-SITE

subnet 10.10.10.0 255.255.255.0

object network REMOTE-ONE

subnet 10.10.20.0 255.255.255.0

object network REMOTE-TWO

subnet 10.10.30.0 255.255.255.0

nat (inside,outside) source static CENTRAL-SITE CENTRAL-SITE destination static REMOTE-ONE REMOTE-ONE

nat (inside,outside) source static CENTRAL-SITE CENTRAL-SITE destination static REMOTE-TWO REMOTE-TWO

object network REMOTE-ONE-PAT

subnet 10.10.20.0 255.255.255.0

nat (outside,outside) dynamic interface

object network REMOTE-TWO-PAT

subnet 10.10.30.0 255.255.255.0

nat (outside,outside) dynamic interface

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map CRYPTOMAP 1 match address REMOTE-ONE-L2LVPN

crypto map CRYPTOMAP 1 set peer 2.2.2.2

crypto map CRYPTOMAP 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map CRYPTOMAP 1 set reverse-route

crypto map CRYPTOMAP 2 match address REMOTE-TWO-L2LVPN

crypto map CRYPTOMAP 2 set peer 3.3.3.3

crypto map CRYPTOMAP 2 set ikev1 transform-set ESP-AES-256-SHA

crypto map CRYPTOMAP 2 set reverse-route

crypto map CRYPTOMAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

ikev1 pre-shared-key

tunnel-group 3.3.3.3 type ipsec-l2l

tunnel-group 3.3.3.3 ipsec-attributes

ikev1 pre-shared-key

REMOTE SITE ONE/TWO

  • Example configurations that can be applied to both Remote Sites
  • If requirement is truly that ALL traffic from the Remote Sites should head through the Central Site then you essentially dont need any NAT configurations on the Remote Sites ASAs since all traffic should show up on the Central Site without NAT since the Central Site would do the NAT towards the external/public networks

access-list CENTRAL-SITE-L2LVPN remark Encryption Domain for Main Site L2LVPN

access-list CENTRAL-SITE-L2LVPN permit ip 255.255.255.0 any

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map CRYPTOMAP 1 match address CENTRAL-SITE-L2LVPN

crypto map CRYPTOMAP 1 set peer 1.1.1.1

crypto map CRYPTOMAP 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map CRYPTOMAP 1 set reverse-route

crypto map CRYPTOMAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

ikev1 pre-shared-key


The above are some very general examples. The situation is problematic for the Remote Sites because their configurations would probably DROP all traffic until the L2L VPN is up. So they will probably work only as soon as the whole setup between Central and Remote are finalized.

Hope this helps

- Jouni

I was under the impression that VPN connectivity was established between the sites and that just hairpinning to get internet access was needed?

If so then the configuration I mentioned in my post above is what is needed to get things going.  Just change the subnets as required.

--
Please remember to select a correct answer and rate helpful posts

Hi,

The Internet traffic from Remote Sites will only be tunneled to the L2L VPN connection if we use "any" as the destination address in the Crypto ACL since we cant really know all the public destination networks for which traffic should be tunneled to the L2L VPN between Remote and Central.

I imagine if its just web traffic then it could be handled with a Proxy on the Central Site to which the hosts on Remote Sites would connect to?

I am not sure if anything could be done with other type of traffic towards the external networks? I can't comment on that myself.

- Jouni

No need for a proxy, unless web filtering is required.  Just good ol' hairpinning and NAT.

--
Please remember to select a correct answer and rate helpful posts

Hi,

But how are you going to get the Internet bound traffic from the Remote Site to the Central Site through the L2L VPN connection if we were NOT using "any" as the destination address/network for the tunneled traffic? If we didnt use "any" the local Remote Site ASA would simply pass the traffic through its local WAN link and not forward it to the VPN.

- Jouni

Please reread my original post.  I mention that we need to be sure that all traffic is being tunneld from site B and C.

--
Please remember to select a correct answer and rate helpful posts