Re: VPN Tunneling question

mark.nelson · ‎08-04-2010

Hello,

I am trying to set up a site to site vpn tunneling all traffic through the vpn tunnel to the main site. I have looked at the forum posts many times but apparently too dense to see what is needed. The tunnel comes up and i can pass traffic across the tunnel for the private lan...but internet traffic does not traverse the tunnel. I cant help but think it is a nat issue but do not understand why.

Any help will be appreciated.

here is the relevant configs;

remote site: 871 router

crypto isakmp policy 15

encr aes 256

authentication pre-share

group 2

crypto isakmp key ********* address 207.xx.xx.xx

crypto ipsec transform-set esp-aes esp-aes 256 esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

set peer 207.xx.xx.xx

set transform-set esp-aes

match address VPNTRAFFIC1

ip nat inside source list NONAT interface FastEthernet4 overload

ip access-list extended NONAT

deny ip 192.168.10.0 0.0.0.255 any

ip access-list extended VPNTRAFFIC1

permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255 *if i change this to permit ip 192.168.10.0 0.0.0.255 any then no traffic passes through the tunnel.

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect MYFW out

ip nat outside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1460

speed 100

full-duplex

no cdp enable

crypto map vpn

!

HQ site: ASA 5510

sysopt permit ipsec command enabled

crypto isakmp policy 15

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ipsec transform-set esp-aes-sha esp-aes-256 esp-sha-hmac

crypto map outside_map 30 match address outside_30_cryptomap

crypto map outside_map 30 set peer 98.xxx.xxx.xxx

crypto map outside_map 30 set transform-set esp-aes-sha

crypto isakmp nat-traversal 20

crypto isakmp ipsec-over-tcp port 10000

crypto isakmp disconnect-notify

tunnel-group 98.xxx.xxx.xxx type ipsec-l2l

tunnel-group 98.xxx.xxx.xxx ipsec-attributes

pre-shared-key *

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

access-list outside_30_cryptomap extended permit ip any 192.168.10.0 255.255.255.0

Jennifer Halim · ‎08-04-2010

The reason why internet traffic is not working is because you have configured NONAT for traffic from 192.168.10.0/24 subnet towards everything. To browse the internet, traffic needs to be PATed.

Here is what needs to be configured for the NONAT access-list:

ip access-list extended NONAT

deny ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 192.168.10.0 0.0.0.255 any

Please kindly remove the existing NONAT ACL, and replace it with the above.

Further to that, crypto ACL needs to be as follows:

On router: permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255

On ASA: access-list outside_30_cryptomap extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0

Hope that helps.

mark.nelson · ‎08-04-2010

thanks for the follow up....that configuration doesnt force all traffic through the tunnel. The lan on the router side

goes to the internet from their isp connection rather than through the tunnel to the HQ and out that internet

connection.

Any additional thoughts?