07-26-2011 11:21 AM
Hello everyone,
Until now, my company has used Split Tunneling for all of our VPN uses, however we recently purchased 2 ASA5505s for use at various jobsites, and have been running into problems with Local Network Administrators blocking certain traffic that we need to operate. They allow full VPN connectivity to traverse their networks, so we are able to use our LAN Resources over the split tunnel no problem.
We have it set up as a Dynamic L2L Connection, and this ASA is operating flawlessly minus the traffic being blocked upstream by the network admin. Our VPN topolgy is Hub & Spoke. Below is excerpts from our config on how the VPN is set up:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
access-list to_hq extended permit ip 192.168.101.0 255.255.255.0 192.168.0.0 255.255.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 10 match address to_hq
crypto map outside_map 10 set peer *
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
What we'd like to achieve is being able to pass ALL traffic (LAN & Internet) through the VPN tunnel, then be processed by the Hub ASA (192.168.9.1) on the other end. I am guessing crypto map + routing would have to be changed?
Is this how I would go about doing this??? We need ip address dhcp setroute so our ASA can find the other end and form the VPN tunnel, and I am not sure how this would affect things.
Here is NAT + Routing on the Hub ASA:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address * 255.255.255.248
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 * 1
Your help is greatly appreciated!!
Solved! Go to Solution.
08-03-2011 03:46 PM
Hi Steven,
You don't need "route inside 0.0.0.0 0.0.0.0 192.168.9.1" to make it work. You can retain dhcp setroute. The routes of tunneled traffic are needed just to find the egress interface. Other assumptions are correct.
Apart from this, you need to PAT Remote n/w traffic on HUB ASA so that remote n/w can talk to internet.
nat (outside) 1 192.168.101.0 255.255.255.0
!
same-security-traffic permit intra-interface
!
-Atul
08-03-2011 03:46 PM
Hi Steven,
You don't need "route inside 0.0.0.0 0.0.0.0 192.168.9.1" to make it work. You can retain dhcp setroute. The routes of tunneled traffic are needed just to find the egress interface. Other assumptions are correct.
Apart from this, you need to PAT Remote n/w traffic on HUB ASA so that remote n/w can talk to internet.
nat (outside) 1 192.168.101.0 255.255.255.0
!
same-security-traffic permit intra-interface
!
-Atul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide