Solved: NGFW 1140 configuration question

scoutt · ‎06-06-2023

We have migrated from a AS 5516 to a NGFW 1140. Everything seems to be working great so far. What I was wondering is we have site-to-site tunnels configured and it appears the normal internet traffic is also trying to go through the tunnel. How can we separate this? We just want the tunnel traffic to use it and normal internet traffic to use our proxy and go out an ACL, not the tunnel. For users that don't use the tunnel, it works fine.

Or is it not possible to split it like the 5516's did?

scoutt · ‎06-07-2023

Good Morning guys,

Thanks for the information. We have found the problem and it required some cleanup on our part. The vendor URL's that users were hitting was the same IP range that we had in the VPN Tunnel. Once we removed that range the sites stopped going through the tunnel. Thanks for the clarification that nothing really needs to be done to separate the traffic, except make sure you don't have IP ranges that you don't need in there. lol

View solution in original post

Rob Ingram · ‎06-06-2023

@scoutt what destination network have you defined in the VPN configuration? The configuration of the VPN should define just the correct networks that should be tunnelled. Make sure you haven't defined "any" as the destination in the VPN configuration.

scoutt · ‎06-06-2023

So under the Node A protected networks, yes, all networks we want to be tunneled are there. As for the destination Node B protected Network, no internal networks defined there.

Rob Ingram · ‎06-06-2023

@scoutt so what is defined as the destination networks then? When using a policy based VPN (which is sounds like you are) only interesting traffic that matches networks defined is routed via the tunnel.

Provide some screenshots of your configuration.

Run packet-tracer from the CLI of internet traffic to see what it believes should happen with the traffic.

MHM Cisco World · ‎06-06-2023

you use ACL local LAN to ANY <<- this make all traffic pass through tunnel, change it to
LOCAL LAN -> Remote LAN

scoutt · ‎06-06-2023

@Rob Ingram

Thanks, sorry, the destination for the protected network on Node B is the IP of the partner, a state vendor. We see it leave the firewall under the events but most of the initiators info is blank and the response never gets back to us. The state vendor says they do not see us hitting them, so we are thinking that all the web traffic is also going through the site-to-site tunnel, which we don't want

@MHM Cisco World

We have ACL rules pointing like you said, Local LAN -> Remote LAN for tunnel traffic. But we also enabled "sysopt permit-vpn" in the VPN configuration. Will this make a difference and shoot everything though the tunnel?

Rob Ingram · ‎06-06-2023

@scoutt sysopt connection permit-vpn just tells the ASA to ignore the interface ACLs for VPN traffic, it won't route all traffic via the VPN.

Run packet-tracer as mentioned to provide a clue as to what is happening.

MHM Cisco World · ‎06-06-2023

check if the Remote LAN subnet is conflict with Proxy IP

scoutt · ‎06-07-2023

Good Morning guys,

Thanks for the information. We have found the problem and it required some cleanup on our part. The vendor URL's that users were hitting was the same IP range that we had in the VPN Tunnel. Once we removed that range the sites stopped going through the tunnel. Thanks for the clarification that nothing really needs to be done to separate the traffic, except make sure you don't have IP ranges that you don't need in there. lol

MHM Cisco World · ‎06-07-2023

You are so welcome