cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2496
Views
0
Helpful
2
Replies
Highlighted

Default route inside Site-to-site VPN tunnel

We want to route default traffic inside site-to-site VPN tunnel, our goal is to route all traffic including default route from branch to HO and HO will help branch for internet surfing.

i have following difficulties

1. cannot configure Dynamic NAT for branch router on the HO ASA, i know configuration for 8.2 but don't know about 8.4

    following is the configuration for 8.2, if someone can translate for 8.4 that would be great help

    nat (outside) 1 192.168.230.0

2. I don't know how to write default route on Branch router to send all traffic inside VPN tunnel

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Mentor

Hi,

If I understood you correctly then you want to forward ALL the traffic from the Remote Site to the Central Site and handle the Internet traffic there.

I guess you could define the "interesting traffic" in the L2L VPN configuration ACL / access-list in the following fashion

Branch Router

ip access-list extended

permit ip any

Central ASA

access-list permit ip any

The idea behind the above type of ACLs configurations for the L2L VPN is that for example the Branch Router has a rule that defines that connection coming from the local LAN to "any" destination address should be forwarded to the L2L VPN connection. Therefore it would act in a way the all traffic would be forwarded to the Central Site through the L2L VPN.

I have to say though that the Router side VPN configurations arent most familiar to me as I handle mostly with ASA firewalls (and to some degree still PIX and FWSMs)

I guess on the Central ASA you will be doing PAT translation towards "outside" so that the host can access Internet?

You would probably be doing something like this

object-group network REMOTE-SITE-PAT-SOURCE

network-object

nat (outside,outside) after-auto source dynamic REMOTE-SITE-PAT-SOURCE interface

If you dont want to use the "outside" interface IP address then you will have to create an "object network " for the PAT IP address and use it in the above NAT configuration line instead of the "interface"

Alternative configuration could be

object network REMOTE-SITE-PAT

subnet

nat (outside,outside) dynamic interface

You will also have to enable

same-security-traffic permit intra-interface

To allow the traffic to enter and leave the same interface on the ASA

All of the above are naturally suggestion on what you might have to do. I dont know what kind of configurations you have at the moment.

Hope this helps in some way

- Jouni

Message was edited by: Jouni Forss

View solution in original post

2 REPLIES 2
Highlighted
Mentor

Hi,

If I understood you correctly then you want to forward ALL the traffic from the Remote Site to the Central Site and handle the Internet traffic there.

I guess you could define the "interesting traffic" in the L2L VPN configuration ACL / access-list in the following fashion

Branch Router

ip access-list extended

permit ip any

Central ASA

access-list permit ip any

The idea behind the above type of ACLs configurations for the L2L VPN is that for example the Branch Router has a rule that defines that connection coming from the local LAN to "any" destination address should be forwarded to the L2L VPN connection. Therefore it would act in a way the all traffic would be forwarded to the Central Site through the L2L VPN.

I have to say though that the Router side VPN configurations arent most familiar to me as I handle mostly with ASA firewalls (and to some degree still PIX and FWSMs)

I guess on the Central ASA you will be doing PAT translation towards "outside" so that the host can access Internet?

You would probably be doing something like this

object-group network REMOTE-SITE-PAT-SOURCE

network-object

nat (outside,outside) after-auto source dynamic REMOTE-SITE-PAT-SOURCE interface

If you dont want to use the "outside" interface IP address then you will have to create an "object network " for the PAT IP address and use it in the above NAT configuration line instead of the "interface"

Alternative configuration could be

object network REMOTE-SITE-PAT

subnet

nat (outside,outside) dynamic interface

You will also have to enable

same-security-traffic permit intra-interface

To allow the traffic to enter and leave the same interface on the ASA

All of the above are naturally suggestion on what you might have to do. I dont know what kind of configurations you have at the moment.

Hope this helps in some way

- Jouni

Message was edited by: Jouni Forss

View solution in original post

Highlighted

Thank you Jouni,

it works perfect

Bhadresh