12-29-2012 12:14 AM
Many whitepapers and training videos on youtube explain how to configure a site to site vpn, but none of them explain how one would configure to force all traffic from the Remote Site to pass through to the Corporate Office to the ASA and out to the internet. Is this solution even feasible with site to site vpn or is this setup not a common practice? And how do most Site to Site VPN setups handle web traffic? Any help is appreciated.
Take the network design below for example.
[ Internet ] ---- [ ASA ] ----- [ Corporate (R1) ] --- Internet --- [ Remote Site (R2) ]
All traffice including web traffic must go through the Corporate Office R1 to the ASA and out to the internet.
I'm a newbie to Cisco so providing configuration examples would be very helpful. Thanks again.
12-29-2012 01:03 AM
To do this you just have to use proxy acl (acl wich applied to crypto-map) like this:
Main office: access list permit ip any subnet_of_remote_office
Remote Site: access-list permit ip subnet_of_remote_office any.
with this cyrpto-acl's all traffic from/to remote site will go to the main office, including internet-traffic.
Or, different solution, you can use proxy-server in the main office, point remote-office internet-traffic through that proxy and use more specific proxy-acls.
01-02-2013 11:00 AM
Hi Andrew,
The suggestion you gave brought the vpn session down. Not sure why though as it makes perfect sense. However, I changed it to the following and the vpn session was restored, but did not force all traffic to the main office. Host behind the remote site can access the internet but only from the remote router. I'm stump. Any other suggestions?
Main office: access list permit ip subnet_of_main_office any
Remote Site: access-list permit ip any subnet_of_main_office
01-02-2013 12:58 PM
Using proxy would be a good idea I'm assuming you want to do this so that you can filter the traffic etc. So why not use the proxy option?
Also you can try to use route map/PBR.
01-02-2013 04:54 PM
One reason is to filter web traffic content and another reason is because most vendors' web sites are granted access only by a public ip from the corporate office.
Sent from Cisco Technical Support iPhone App
01-02-2013 05:04 PM
Thank you! Using a Proxy is one great solution, but if web traffic can be forced to go through the corporate office, that would accomplish both web content filtering and accessing vendors websites. This seems more complicated than I anticipated.
Sent from Cisco Technical Support iPhone App
01-03-2013 09:13 AM
If you are using a proxy then when you hit the vendor website that your source IP should be the corporate office' IP. And like I said you can do route map/pbr.
01-03-2013 10:49 PM
Sorry, I am not familiar with route map/pbr. How does that work?
Sent from Cisco Technical Support iPhone App
01-03-2013 10:56 PM
Reading about route map at http://m.voices.yahoo.com/manipulate-traffic-cisco-routers-route-map-1457389.html Hope to get something out of this article.
Sent from Cisco Technical Support iPhone App
01-04-2013 09:31 AM
Here is another link:
http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html
In general steps are as follows:
- Create ACL's for the networks for example
(access-list 100 permit ip 10.20.10.0 0.255.255.255 vendor IP's)
- Create a route map
route-map test-routemap permit 10
match ip address 100
set ip next-hop x.x.x.x (this would be the corporate gateway)
But then again I must ask if you are using the proxy then the source IP for your vendor sites should be the IP of the corporate network you shouldn't even need to do all that.
01-04-2013 02:36 PM
Mohammad,
Looks like route map/pbr is something I can use to accomplish what I'm after.
I have a proxy at the corporate site, but not at the remote site. So without forcing web traffic from the remote site to go out at the corporate site, the source ip address for web traffic will be the remote public ip address and therefore, remote hosts won't be able to access vendors' websites due to ip address restriction.
I'm going to run a lap on this route map and will report back in a day or two.
Many thanks Mohammad...
01-05-2013 09:45 PM
In a point-to-point environment and with route-map/PBR configured on R2, from Host2 when accessing the internet, web traffic was routed to R1 and its web source ip was 1.1.1.1. Without route-map configured, its web source ip was 2.2.2.2, both configurations work as expected.
This confirmed a functioning route-map in a normal point-to-point environment. However, in a site-to-site VPN environment the same route-map configuration applied, but route-map did not work. Either I missed something or route-map may not be supported in a site-to-site vpn environment. Can you confirm this?
Included is my router configs and route-map statement for reference. the Site-to-Site VPN config is omitted, but it is functioning normally.
hostname R1
FastEthernet0/0
Facing ISP
ip address 1.1.1.1 255.255.255.128
ip nat outside
FastEthernet0/1
Facing LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface fastethernet0/0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
hostname R2
FastEthernet0/0
Facing ISP
ip address 2.2.2.2 255.255.255.128
ip nat outside
FastEthernet0/1
Facing LAN
ip address 172.16.1.1 255.255.255.0
ip nat inside
access-list 1 permit 172.16.1.0 0.0.0.255
ip nat inside source list 1 interface fastethernet0/0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
#Route-map Statement
ip access-list extended ACL-WEB-TRAFFIC
permit tcp 172.16.1.0 0.0.0.255 any eq wwww
route-map RM-TO-CORPORATE permit 10
match ip address ACL-WEB-TRAFFIC
set ip next-hop 192.168.1.1
interface fastEthernet0/1
ip policy route-map RM-TO-CORPORATE
Host2
ip address 172.16.1.10
Gateway 172.16.1.1
01-07-2013 07:46 AM
If this is like web traffic we are talking about to the vendor sites then you can simply use the proxy server and configure it on the computers and now their source IP would be the corporate sites' IP.
01-07-2013 08:37 PM
I want to thank you for your help all along. After spending two weeks trying to get this to work with no success, I give up on it until next time. I know there are alternate solution by using a proxy server, but its not worth the trouble now, so thank you very much. Route-map would have worked for a non site to site vpn environment, but unfortunately not in my case.
Thanks again!
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide