Forwarding Internet traffic through IPSec Site-to-Site VPN NO HairP

ajc · ‎04-04-2023

Hi everyone,

Wondering if the following is enough to accomplish the following. TRAFFIC from Site 2 will travel over the S2S VPN Tunnel to Site 1 to get Internet access BUT instead of doing hairpinning, I want that traffic to traverse the FW (packet inspection) on the left of the picture (SITE1) and the FW would forward the traffic to the Internet over its own link to the cloud.

crypto access-list on SITE1 site should be something like this:
access-list acl-crypto-SITE1permit ip any 192.168.2.0 255.255.255.0

Enable following functions on SITE1 ASA
same-security-traffic permit intra-interface

Configure dynamic NAT rules for 192.168.2.0/24 on SITE1 ASA. Something like this:
object network SITE2
subnet 192.168.2.0 255.255.255.0
nat (Outside,Outside) dynamic interface

The SITE2 ACL and everything else is configured. Currently, the Site to Site VPN Tunnel is up and I can get traffic flowing between the 2 subnets on each end, I am having issues with the Traffic from SITE2 going to Internet as explained above.

thanks

Rob Ingram · ‎04-04-2023

@ajc any ACL/vpn filter configured?

Run packet-tracer from Site1 ASA to simulate the traffic flow, that should provide some pointers. Provide the output for review.

ajc · ‎04-04-2023

Hi Rob,

I updated the diagram, there is no ASA on SITE2. We built a VPN Tunnel IKEv2 that is working and allowing traffic between both LAN on each end. The problem that I am having is any PC on SITE2 not getting Internet access. Packet captures from the INSIDE interface ASA on SITE1 are not showing anything but on the same capture I can see both LAN's communicating. Wondering if I am missing something on ASA SITE1 configuration

Rob Ingram · ‎04-04-2023

@ajc you wouldn't see internet traffic from site2 on the inside of Site1 ASA, it hairpins on the outside interface.

Run packet tracer on site1 ASA to simulate the flow.

ajc · ‎04-04-2023

Packet tracer. Let me analyze it.

Rob Ingram · ‎04-04-2023

@ajc that output is from site1 ASA? If so that's wrong, the source interface is not inside it's outside. Run packet tracer from the CLI and provide the full output, us TCP instead of ICMP.

ajc · ‎04-04-2023

Packet tracer and configuration to be provided here is from SITE1 ASA. I removed hairpinning/nat configuration.

ajc · ‎04-04-2023

Hi Rob,

The traffic is initiated from AZURE into ASA SITE1 and from there to 8.8.8.8 as indicated in the diagram. How do you recommend me to run the packet tracer?

MHM Cisco World · ‎04-04-2023

the issue is ASA1 have default route so any traffic to internet (ANY) will return out not go through step2
the solution if we can config it in ASA is VRF with VTI
VTI is in VRF 1
OUT of ASA1 is in global
this make traffic come from Azure through VTI forward using VRF RIB not global RIB and hence can force via IN interface and from there to Internet.

ajc · ‎04-04-2023

Let me provide the routing table of the ASA SITE1, I have a default route for all the tunneled traffic to be sent into the FW interface via ASA SITE1 Inside interface

MHM Cisco World · ‎04-04-2023

so you need static route for remote LAN in Azure and static route for Azure (S2S VPN tunnel head)
in FW behind the ASA1 you need NAT for remote LAN of Azure
also you need static route toward IN of ASA1 for return traffic.

ajc · ‎04-04-2023

I updated the diagram and I have the settings you indicated (SHOW RUN ROUTES OUTPUT ASA SITE1)

ASASite1#show run routes

route Outside 0.0.0.0 0.0.0.0 PublicIPABC 1
route Inside 10.0.0.0 255.0.0.0 172.22.10.3 1 - 10.3 is the FW interface same VLAN as ASA SITE1 Inside 172.22.10.5 (I have other VLAN 10.X.Y.Z via INSIDE ASA SITE1)

route Outside 10.2.0.0 255.254.0.0 PublicIPABC 1 (AZURE VLAN is reachable via OUTSIDE INT ASA SITE1 VPN Tunnel)

route Inside 0.0.0.0 0.0.0.0 172.22.10.3 tunneled (traffic over the tunnel is forwarded to the FW interface same VLAN as Inside ASA SITE1 172.22.10.5)

-The FW has a NAT statement where it translates 10.2.0.133 into a public IP so it can reach 8.8.8.8

-Logs in the FW are not showing any traffic coming from 10.2.0.133 going to 8.8.8.8. I have a packet capture in the INSIDE int of ASA SITE1 and there is nothing about a continuous ping we have from 10.2.0.133 going to 8.8.8.8. I can only see continuous pings from 10.2.0.133 going to 172.22.2.1 and others in the subnet 172.22.0.0/16 with no issues.

-The INTERESTING TRAFFIC ACL not only includes the VLANs on each end, it also includes 1 statement allowing 10.2.0.133 to 8.8.8.8

MHM Cisco World · ‎04-04-2023

route Inside 0.0.0.0 0.0.0.0 172.22.10.3 tunneled <<- tunneled keyword I think work only for remote access or anyconnect ' it have no effect for s2s.

So

route Outside 0.0.0.0 0.0.0.0 PublicIPABC 1 <<- remove this

route Inside 0.0.0.0 0.0.0.0 172.22.10.3 tunneled <<- this remove tunneled keyword only

Add below

Route outside <azure remote lan>

Route outside < azure ipsec peer IP>

Octavian Szolga · ‎04-04-2023

Hi,

The tunneled keywork works for tunneled traffic be it SSL VPN or IPsec. So there's no need for NAT and other workarounds when traffic from ASA-Azure can be encrypted to ASA-Site1 which in turn routes traffic to local FW and there you can NAT it or do whatever extra filtering.

BR,

Octavian

Octavian Szolga · ‎04-04-2023

Hi,

Setting aside that a more elegant solution for including 0/0 in an IPsec SA is to use static VTI / route-based IPsec and not crypto ACL with 0/0 even though source or destination IP is specified, I think you should be using a default route with the tunneled argument on ASA-1, pointing to your site-1 'other Internet firewall'.

This way, all your VPN encrypted traffic that ASA-1 will receive will use the paralel/different default route (tunneled) for any route that ASA-1 does not specifically have in its routing table.

BR,

Octavian