Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4285
Views
0
Helpful
2
Replies

Default route inside Site-to-site VPN tunnel

Go to solution
Bhadresh Prajapati
Level 1
Level 1

‎04-08-2013 11:53 AM

We want to route default traffic inside site-to-site VPN tunnel, our goal is to route all traffic including default route from branch to HO and HO will help branch for internet surfing.

i have following difficulties

1. cannot configure Dynamic NAT for branch router on the HO ASA, i know configuration for 8.2 but don't know about 8.4

    following is the configuration for 8.2, if someone can translate for 8.4 that would be great help

    nat (outside) 1 192.168.230.0

2. I don't know how to write default route on Branch router to send all traffic inside VPN tunnel

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-08-2013 12:08 PM

Hi,

If I understood you correctly then you want to forward ALL the traffic from the Remote Site to the Central Site and handle the Internet traffic there.

I guess you could define the "interesting traffic" in the L2L VPN configuration ACL / access-list in the following fashion

Branch Router

ip access-list extended

permit ip any

Central ASA

access-list permit ip any

The idea behind the above type of ACLs configurations for the L2L VPN is that for example the Branch Router has a rule that defines that connection coming from the local LAN to "any" destination address should be forwarded to the L2L VPN connection. Therefore it would act in a way the all traffic would be forwarded to the Central Site through the L2L VPN.

I have to say though that the Router side VPN configurations arent most familiar to me as I handle mostly with ASA firewalls (and to some degree still PIX and FWSMs)

I guess on the Central ASA you will be doing PAT translation towards "outside" so that the host can access Internet?

You would probably be doing something like this

object-group network REMOTE-SITE-PAT-SOURCE

network-object

nat (outside,outside) after-auto source dynamic REMOTE-SITE-PAT-SOURCE interface

If you dont want to use the "outside" interface IP address then you will have to create an "object network " for the PAT IP address and use it in the above NAT configuration line instead of the "interface"

Alternative configuration could be

object network REMOTE-SITE-PAT

subnet

nat (outside,outside) dynamic interface

You will also have to enable

same-security-traffic permit intra-interface

To allow the traffic to enter and leave the same interface on the ASA

All of the above are naturally suggestion on what you might have to do. I dont know what kind of configurations you have at the moment.

Hope this helps in some way

- Jouni

Message was edited by: Jouni Forss

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-08-2013 12:08 PM

Hi,

If I understood you correctly then you want to forward ALL the traffic from the Remote Site to the Central Site and handle the Internet traffic there.

I guess you could define the "interesting traffic" in the L2L VPN configuration ACL / access-list in the following fashion

Branch Router

ip access-list extended

permit ip any

Central ASA

access-list permit ip any

The idea behind the above type of ACLs configurations for the L2L VPN is that for example the Branch Router has a rule that defines that connection coming from the local LAN to "any" destination address should be forwarded to the L2L VPN connection. Therefore it would act in a way the all traffic would be forwarded to the Central Site through the L2L VPN.

I have to say though that the Router side VPN configurations arent most familiar to me as I handle mostly with ASA firewalls (and to some degree still PIX and FWSMs)

I guess on the Central ASA you will be doing PAT translation towards "outside" so that the host can access Internet?

You would probably be doing something like this

object-group network REMOTE-SITE-PAT-SOURCE

network-object

nat (outside,outside) after-auto source dynamic REMOTE-SITE-PAT-SOURCE interface

If you dont want to use the "outside" interface IP address then you will have to create an "object network " for the PAT IP address and use it in the above NAT configuration line instead of the "interface"

Alternative configuration could be

object network REMOTE-SITE-PAT

subnet

nat (outside,outside) dynamic interface

You will also have to enable

same-security-traffic permit intra-interface

To allow the traffic to enter and leave the same interface on the ASA

All of the above are naturally suggestion on what you might have to do. I dont know what kind of configurations you have at the moment.

Hope this helps in some way

- Jouni

Message was edited by: Jouni Forss

0 Helpful

Go to solution
Bhadresh Prajapati
Level 1
Level 1
In response to Jouni Forss

‎04-08-2013 12:34 PM

Thank you Jouni,

it works perfect

Bhadresh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents