Solved: site to site vpn, redirect specific traffic to internet

jfigueroa · ‎11-30-2022

I have a working site to site vpn between a client router and a ftd.

I have a device on the router side that need to access a resource on the internet so I think there is no point on send that traffic to the tunnel to then send it to the internet so I leave that out of the encrypted traffic ACL but it doesnt seem to be working everything else is working.

10.20.100.0 is the local network on the router and 10.10.1.0 is the resource on the ftd , 64.64.64.64 is the ftd "public ip" 192.168.8.1 is the router ISP gateway

crypto isakmp policy 1
 hash md5
 authentication pre-share  
crypto isakmp key ****** address 64.64.64.64
crypto isakmp keepalive 15
crypto isakmp nat keepalive 15
!
!
crypto ipsec transform-set pix-set esp-des esp-md5-hmac
!
crypto map pix 10 ipsec-isakmp
 set peer 64.64.64.64
 set transform-set pix-set
 match address 121
!
interface FastEthernet4
 description OUTSIDE Interface
 ip address dhcp
 ip access-group 104 in
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 crypto map pix
!
!
!
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.8.1
!
!
!
!
!
access-list 104 remark Firewall ACL for WAN interface
access-list 104 permit udp host 64.64.64.64 any eq isakmp
access-list 104 permit udp host 64.64.64.64 any eq non500-isakmp
access-list 104 permit ip 10.10.1.0 0.0.0.255 10.20.100.0 0.0.0.255
access-list 104 permit udp any eq bootps any eq bootps
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip any any log
access-list 121 remark Crypto map address match ACL
access-list 121 permit ip 10.20.100.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 130 remark NO NAT ACL for ROUTE MAP
access-list 130 deny   ip 10.20.100.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 130 permit ip 10.20.100.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 130
!

the traffic I would like to send direct to internet is traffic destined to 2.2.2.2

Thanks,

Rob Ingram · ‎11-30-2022

@jfigueroa and does that work with that new ACE in ACL 104?

Is traffic routed out locally and translated correctly? Check the logs to see if any traffic is hitting the deny rule

You've not provided the output of the inside interface, I assume it is configured for "ip nat inside"?

Run a packet capture on the outside interface, to confirm traffic is routed out the interface and if there is a reply.

View solution in original post

MHM Cisco World · ‎11-30-2022

see below comment

jfigueroa · ‎11-30-2022

hi, you mean something like:

access-list 121 remark Crypto map address match ACL
access-list 121 deny ip 10.20.100.0 0.0.0.255 host 2.2.2.2
access-list 121 permit ip 10.20.100.0 0.0.0.255 10.10.1.0 0.0.0.255

Rob Ingram · ‎11-30-2022

@jfigueroa if the IP address you are attempting to communicate with is 2.2.2.2 then that is not defined in the crypto ACL 121, so it would not be routed via the VPN tunnel. Only traffic between 10.20.100.0/24 and 10.10.1.0/24 will be encrypted and routed over the VPN tunnel. Therefore this traffic is already routing out locally, so no need to modify ACL 121.

You've got ACL 104 inbound on the outside interface, with a default deny. Create an ACE above the default deny to permit the return traffic from 2.2.2.2.

jfigueroa · ‎11-30-2022

that was my understanding and that's why, I would not need that specific traffic to go through the tunnel what would be the use and correct me if Iam wrong please.

the configuration is like I post originally except that I add the second line access-list 104 permit tcp host 2.2.2.2 any

access-list 104 remark Firewall ACL for WAN interface
access-list 104 permit tcp host 2.2.2.2 any
access-list 104 permit udp host 64.64.64.64 any eq isakmp
access-list 104 permit udp host 64.64.64.64 any eq non500-isakmp
access-list 104 permit ip 10.10.1.0 0.0.0.255 10.20.100.0 0.0.0.255
access-list 104 permit udp any eq bootps any eq bootps
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip any any log

Rob Ingram · ‎11-30-2022

@jfigueroa and does that work with that new ACE in ACL 104?

Is traffic routed out locally and translated correctly? Check the logs to see if any traffic is hitting the deny rule

You've not provided the output of the inside interface, I assume it is configured for "ip nat inside"?

Run a packet capture on the outside interface, to confirm traffic is routed out the interface and if there is a reply.

jfigueroa · ‎11-30-2022

JESUS.., that was it !

ip nat inside was missing

local interface is trunk I added the missing ip nat inside to the 10.20.100.0 vlan

MHM Cisco World · ‎11-30-2022

@Rob Ingram find the issue here,
ip nat inside missing
no need modify any ACL
thanks.

jfigueroa · ‎11-30-2022

Thanks a lot @MHM Cisco World for the lab but it was lot easier to just add the missing command, I appreciated !

MHM Cisco World · ‎11-30-2022

You are welcome