Hi Rick,

Can you provide the detailed info or example for how to do it, please. We have a Cisco 881 router which was configured with site-to-site IPsec VPN with a older Cisco Pix firewall at Corp office. Right now everything was configured with IPsec tunnel to Corp office for internet access and data traffic for branch office user. We are replacing Pix firewall with ASA 5512-X, and I will need to reconfigure Cisco 881 router for site-to-site VPN tunnel to Corp office only with data traffic, and internet traffic goes locally through ISP. I am new to Cisco, any help is highly appreciated.

Regards,

Kevin

Kevin

If the router already has a working site to site VPN then most of the work is already done. Basically what you will need to do is to change how traffic is routed so that instead of routing all traffic out through the VPN tunnel you will route through the VPN tunnel only the traffic going to the Corp office. I could give you better advice about this if I knew more about how the current VPN is configured. If I assume that this VPN is done the traditional way with a crypto map on the interface and an access list that identifies traffic to go through the tunnel then the primary thing is to change the access list so that it only selects Corp traffic. The other thing that may need to be done is to alter the routing logic since it is likely that the current route has a default route pointed at the tunnel. The new routing logic will need a default route to the ISP for Internet traffic and other routes to send the Corp traffic through the VPN.

HTH

Rick

Hi Rick,

Yes, there is working site-to-site VPN from branch office to Corp office. The current Cisco Pix515 firewall used at Corp office is out of service support, we are replacing it with Cisco ASA5512-X firewall.

So I will need to reconfigure site-to-site VPN on ASA and Cisco 881 router, and also make sure the data traffic on branch office goes VPN tunnel and internet traffic goes locally through ISP.

Attached is the configuration of banch 881 router (I changed IP address).

Thank you so much for your help.

Kevin

Kevin

Thank you for posting the configuration. I have looked through it and do have a couple of comments. Based on what I see in the config it looks like the router is already set up to send through the VPN only traffic for corp and to send other traffic out via the ISP.

The router is already set up to translate addresses of outbound traffic. I would not have expected to find this if the router were sending all traffic through the VPN. I find the route map used for address translation to be a bit odd, especially instance 10 which has no match statement in the config that you posted.

I glanced at the Zone Based Firewall part of the config but did not go through it carefully. If the router were changing from sending all traffic through the VPN to sending only corp traffic through the VPN then ZBF would be an area that would need to be checked carefully.

HTH

Rick

Hi Rick,

Thanks for looking at the configuration file, and provide the helpful comments on it.

I will go through the configuration, and make the changes accordingly, so it will have the working VPN tunnel and internet traffic routing.

Bets regards,

Kevin