04-20-2008 11:36 AM - edited 03-03-2019 09:38 PM
Hello,
I've got a VPN connected between my head office and a small remote office. All works except the remote office can't get onto the internet.
I assume be default the internet traffic from the remote office will travel down the VPN. So I wondered what the next step is?
I have attached the configuratio of the remote offices Cisco 877. The 877 VPN's to a Cisco ASA 5520. The ASA is also the where the internet should be accessed by. The ASA's outside interface connects to our internet router.
On the ASA I have added on the inside a permit rule for 172.19.15.0/24 to any on http/https and UDP domain.
04-21-2008 05:48 AM
In the config all I see for the tunnel access is:
access-list 101 remark SDM_ACL Category=20
access-list 101 permit ip 172.19.15.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit ip 172.19.15.0 0.0.0.255 192.168.21.0 0.0.0.255
access-list 101 permit ip 172.19.15.0 0.0.0.255 192.168.90.0 0.0.0.255
These are the only networks this tunnel is allowed to access.
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key 12345 address 80.71.16.66
!
!
crypto ipsec transform-set MY_T_Set esp-aes 256 esp-sha-hmac
!
crypto map MY_Crypto_Map 10 ipsec-isakmp
set peer 80.71.16.66
set security-association lifetime seconds 28800
set transform-set MY_T_Set
set pfs group5
match address 101 <---ACL to match
If you need the remote site to access other resources you will need to add it there I believe.
04-21-2008 09:55 AM
So will I have to remove my 3 subnets and replace with:
access-list 101 permit ip 172.19.15.0 0.0.0.255 any
I really just wanted those subnets and the internet over the tunnel.
04-21-2008 10:12 AM
One thing I would do is be very basic in the ACL to find out if that is the issue.
One way to do this would be to do as you suggest. This would take all traffic from that subnet and allow access to anything. If that works you can get more granular in the settings. One question, if the site has an internet connection, why have the internet traffic go through the tunnel then out the head office connection, why not split traffic. All business traffic to the office go through the tunnel and then all other traffic go out the internet?
04-21-2008 10:43 AM
I will try this and get back to you.
A couple of things though,
1.) How could I split the traffic just for my knowledge?
2.) Also my company requires all web traffic comes through our HQ's internet pipe so we can monitor users web traffic and block sites etc. I can't see how I can get more granular and I would need the "any" for the destination as they would need to get to any internet sites?
3.) I have Cisco Client VPN users coming into the ASA and they can access the Internet through the tunnel all I had to do was add a dynamic nat onto the outside interface of the ASA, does client VPN's work different to the site-to-site VPN's?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide