Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12197
Views
0
Helpful
8
Replies

Force All Traffic Through VPN Tunnel

nohara
Level 1
Level 1

‎10-04-2017 10:23 AM - edited ‎03-12-2019 04:35 AM

Hello,

 

I have a ASA5505 at SiteA that currently has a site to site VPN tunnel established with SiteB. Everything is working, users are able to access their shared drives, files, etc. that are at SiteB. However, when I am at SiteA and do a traceroute to google.com it takes me out to the internet instead of going through the VPN tunnel. How can I force all traffic through the VPN tunnel? Attached is my current running-config. Any help would be greatly appreciated. Thanks!

Labels:
Preview file
13 KB
0 Helpful
8 Replies 8

Francesco Molino
VIP Alumni
VIP Alumni

‎10-04-2017 08:24 PM

Hi
To force users from remote site to go through the L2L vpn to access internet, your acl used in the crypto map should have the destination any and your nat for vpn traffic should change also with any keyword as destination.
On the central site, you'll need to allows the nat fitted internet with the remote lan subnet and allow hair-pinning (same-security-traffic intra-interface)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Kias
Level 1
Level 1

‎10-04-2017 10:27 PM

Hi,

 

I assume the attached config is of Site A. Two observations:

1.

object network obj_any
 nat (inside,outside) dynamic interface

The above config will nat the internet traffic to outside interface. We have to see the NAT numbering.

 

2. In site B

Is there a NAT for Site A local subnet

object network remote_any

nat (any,outside) dynamic interface

 

Please advise.

 

Regards,

Kias

 

 

 

Kias
Fonicom Limited
raiseaticket Malta
0 Helpful

nohara
Level 1
Level 1
In response to Kias

‎10-05-2017 08:15 AM

Yes, the attached config is for SiteA. 

SiteB has a WatchGuard Firebox M400 and I know how to configure the VPN tunnel to allow internet traffic to pass through this firewall. I just don't know how I should go about configuring the Cisco ASA 5505.

 

So you think the below statement is pushing the internet traffic through the outside interface and rather than the VPN tunnel?

 

object network obj_any
 nat (inside,outside) dynamic interface

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to nohara

‎10-05-2017 08:24 AM

Hi

 

no the statement you're referring to is to allow internal hosts to access outside (internet). They'll be natted to outside ip interface as soon as they're reaching that interface (internet access for example).

 

The crypto acl you need to modify is:

access-list outside_cryptomap_3 extended permit ip 192.168.234.0 255.255.255.0 object-group WG_Tunnel

 

If you don't want to create a new line, you can simply add the group obj_any into WG_Tunnel, like:

object-group network WG_Tunnel

 network-object object ibj_any

 

As soon as you'll do that the internet access wil flow to your vpn and not locally.

You also need to modify your nat:

nat (any,any) source static LOCAL-NETWORKS LOCAL-NETWORKS destination static WG_Tunnel WG_Tunnel no-proxy-arp --> Remove it. It's useless. The first nat is taking care of the same traffic.

 

Don't forget to align the crypto acl on the other end as well.

On the other firewall, you will need to allow hair-pinning, that means when a user from site a access internet, the traffic will arrive on the outside interface of fw site b, decrypted and then access internet through the same interface outside.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

nohara
Level 1
Level 1
In response to Francesco Molino

‎10-05-2017 08:46 AM

So if I am understanding correctly, adding the below network-object is like saying 0.0.0.0 0.0.0.0 VPN Tunnel?

 

object-group network WG_Tunnel
description WG Remote Networks
network-object 10.1.45.0 255.255.255.0
network-object 172.16.48.0 255.255.255.0
network-object 192.168.229.0 255.255.255.0
network-object 192.168.232.0 255.255.255.0
network-object 192.168.233.0 255.255.255.0
network-object object 10.1.23.0
network-object object Courts
network-object object Courts_ASA
network-object object DMZ
network-object object Inside_DMZ
network-object object PD
network-object object ParksFac
network-object object Rec_Center
network-object object WG_VPN
network-object object Management_VLAN
network-object object obj_any

Then I remove the below.


nat (any,any) source static LOCAL-NETWORKS LOCAL-NETWORKS destination static WG_Tunnel WG_Tunnel no-proxy-arp

 

Then I make necessary changes on the SiteB WatchGuard Firebox.

 

Then all should work hopefully.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to nohara

‎10-05-2017 08:47 AM

Yes it should

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Kias
Level 1
Level 1
In response to nohara

‎10-05-2017 10:00 PM

Hi

Did you make further config changes and tried?

 

Regards,

 

Kias

 

 

Kias
Fonicom Limited
raiseaticket Malta
0 Helpful

nohara
Level 1
Level 1
In response to Kias

‎10-06-2017 07:48 AM

No, I have not. Something came up that I needed to do but will try to make the changes next week some time and let you know. Thanks!

0 Helpful
Customers Also Viewed These Support Documents