Re: Configure Remote Cisco ASA to route all traffic to IPSEC VPN Tunne

name2 · ‎03-15-2022

I have configured my remote Cisco ASA to reach a specific host on HQ. Two host on each site is reachable via IPSEC Tunnel. My internet access however is via my default route to my ISP on my remote Cisco ASA.

I'm trying to access internet via IPSEC Tunnel from my HQ (Fortigate IPSec tunnel configured as share local) and not my default route.

I have tried adjusting my ACL on ASA from permit 10.0.0.0/24 11.0.0.0/24 to permit 10.0.0.0/24 any and removing default route and replacing it with only the HQ's public ip address with my ISP as my next hop.

How can I achieve this?

Georg Pauwen · ‎03-15-2022

Hello,

--> I'm trying to access internet via IPSEC Tunnel from my HQ (Fortigate IPSec tunnel configured as share local) and not my default route.

I am not sure I understand what you are trying to accomplish...

Post a topology diagram and indicate which host on which device (Fortigate or ASA) wants to access the Internet from where (Fortigate or ASA).

name2 · ‎03-15-2022

Hello, I would like all inbound and outbound traffic to go through IPSEC instead of thru my ISP. Like instead of default routing to my ISP, traffic will be routed to IPSEC to my HQ

Diagram attached below

Georg Pauwen · ‎03-15-2022

Hello,

not sure why adding all IP addresses to the crypto map access list doesn't work/ Can you post the running config of your ASA ?

Make sure you have the below in your config:

oject network ASA_SUBNET
subnet 10.0.0.0 255.255.255.0
!
object network FORTIGATE_SUBNET
subnet 11.0.0.0 255.255.255.0
!
access-list ASA_TO_FORTINET permit ip object ASA_SUBNET object FORTIGATE_SUBNET
!
nat (inside,outside) source static ASA_SUBNET ASA_SUBNET destination static FORTIGATE_SUBNET FORTIGATE_SUBNET

Configure Remote Cisco ASA to route all traffic to IPSEC VPN Tunnel