cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23831
Views
3
Helpful
13
Replies

Force all traffic through site-to-site vpn tunnel

tsabsuavyaj
Level 1
Level 1

Many whitepapers and training videos on youtube explain how to configure a site to site vpn, but none of them explain how one would configure to force all traffic from the Remote Site to pass through to the Corporate Office to the ASA and out to the internet. Is this solution even feasible with site to site vpn or is this setup not a common practice? And how do most Site to Site VPN setups handle web traffic?  Any help is appreciated.

Take the network design below for example.


[ Internet ] ---- [ ASA ] ----- [ Corporate (R1) ] --- Internet --- [ Remote Site (R2) ]

All traffice including web traffic must go through the Corporate Office R1 to the ASA and out to the internet. 

I'm a newbie to Cisco so providing configuration examples would be very helpful.  Thanks again.

13 Replies 13

Andrew Phirsov
Level 7
Level 7

To do this you just have to use proxy acl (acl wich applied to crypto-map) like this:

Main office: access list permit ip any subnet_of_remote_office

Remote Site: access-list permit ip subnet_of_remote_office any.

with this cyrpto-acl's all traffic from/to remote site will go to the main office, including internet-traffic.

Or, different solution, you can use proxy-server in the main office, point remote-office internet-traffic through  that proxy and use more specific proxy-acls.

Hi Andrew,

The suggestion you gave brought the vpn session down. Not sure why though as it makes perfect sense. However, I changed it to the following and the vpn session was restored, but did not force all traffic to the main office.  Host behind the remote site can access the internet but only from the remote router. I'm stump. Any other suggestions?

Main office: access list permit ip subnet_of_main_office any

Remote Site: access-list permit ip any subnet_of_main_office

Using proxy would be a good idea I'm assuming you want to do this so that you can filter the traffic etc.  So why not use the proxy option?

Also you can try to use route map/PBR.

One reason is to filter web traffic content and another reason is because most vendors' web sites are granted access only by a public ip from the corporate office.



Sent from Cisco Technical Support iPhone App

Thank you! Using a Proxy is one great solution, but if web traffic can be forced to go through the corporate office, that would accomplish both web content filtering and accessing vendors websites. This seems more complicated than I anticipated.

Sent from Cisco Technical Support iPhone App

If you are using a proxy then when you hit the vendor website that your source IP should be the corporate office' IP.  And like I said you can do route map/pbr.

Sorry, I am not familiar with route map/pbr. How does that work?

Sent from Cisco Technical Support iPhone App

Reading about route map at http://m.voices.yahoo.com/manipulate-traffic-cisco-routers-route-map-1457389.html Hope to get something out of this article.

Sent from Cisco Technical Support iPhone App

Here is another link:

http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html

In general steps are as follows:

- Create ACL's for the networks for example

(access-list 100 permit ip 10.20.10.0 0.255.255.255 vendor IP's)

- Create a route map

route-map test-routemap permit 10

match ip address 100

set ip next-hop x.x.x.x (this would be the corporate gateway)

But then again I must ask if you are using the proxy then the source IP for your vendor sites should be the IP of the corporate network you shouldn't even need to do all that.

Mohammad,

Looks like route map/pbr is something I can use to accomplish what I'm after.

I have a proxy at the corporate site, but not at the remote site. So without forcing web traffic from the remote site to go out at the corporate site, the source ip address for web traffic will be the remote public ip address and therefore, remote hosts won't be able to access vendors' websites due to ip address restriction.

I'm going to run a lap on this route map and will report back in a day or two.

Many thanks Mohammad...

In a point-to-point environment and with route-map/PBR configured on R2, from Host2 when accessing the internet, web traffic was routed to R1 and its web source ip was 1.1.1.1. Without route-map configured, its web source ip was 2.2.2.2, both configurations work as expected.

This confirmed a functioning route-map in a normal point-to-point environment. However, in a site-to-site VPN environment the same route-map configuration applied, but route-map did not work. Either I missed something or route-map may not be supported in a site-to-site vpn environment. Can you confirm this?

Included is my router configs and route-map statement for reference. the Site-to-Site VPN config is omitted, but it is functioning normally.


hostname R1

FastEthernet0/0
Facing ISP
ip address 1.1.1.1 255.255.255.128
ip nat outside

FastEthernet0/1
Facing LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside

access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface fastethernet0/0

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

hostname R2

FastEthernet0/0
Facing ISP
ip address 2.2.2.2 255.255.255.128
ip nat outside

FastEthernet0/1
Facing LAN
ip address 172.16.1.1 255.255.255.0
ip nat inside

access-list 1 permit 172.16.1.0 0.0.0.255
ip nat inside source list 1 interface fastethernet0/0

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

#Route-map Statement

ip access-list extended ACL-WEB-TRAFFIC
permit tcp 172.16.1.0 0.0.0.255 any eq wwww

route-map RM-TO-CORPORATE permit 10
match ip address ACL-WEB-TRAFFIC
set ip next-hop 192.168.1.1

interface fastEthernet0/1
ip policy route-map RM-TO-CORPORATE


Host2
ip address 172.16.1.10
Gateway 172.16.1.1

If this is like web traffic we are talking about to the vendor sites then you can simply use the proxy server and configure it on the computers and now their source IP would be the corporate sites' IP.

I want to thank you for your help all along. After spending two weeks trying to get this to work with no success, I give up on it until next time. I know there are alternate solution by using a proxy server, but its not worth the trouble now, so thank you very much. Route-map would have worked for a non site to site vpn environment, but unfortunately not in my case.

Thanks again!

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: