Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2702
Views
0
Helpful
7
Replies

How forward all traffic over ipsec vpn tunnel ?

decryptinfo
Level 1
Level 1

‎07-19-2011 07:46 AM - edited ‎02-21-2020 05:27 PM

Hello,

Excuse me for my english, I am french.

I currently have two Cisco ASA 5505.  They are at different  physical sites (SITE A, SITE B) and are configured with a site-to-site VPN which is  active and working.

I can communicate with the subnets on either site from the other and both are connected to the internet, however I need to ensure that all the traffic at my site B goes through this VPN to my site A.

I changed this access-list :

access-list outside_2_cryptomap extended permit ip network_siteB network_siteA

to

access-list outside_2_cryptomap extended permit ip network_siteB any

But this does not work. If I do http://checkip.dyndns.org/, site B IP address  is not same that site A.

thank you for your help.

Greg

Labels:
0 Helpful
7 Replies 7

Gustavo Medina
Cisco Employee
Cisco Employee

‎07-19-2011 09:35 AM

Hello Greg,

The change you have made to the access-list is fine however I suppose you had a NAT EXEMPTION on ASA B when going from network_siteB to network_siteA and the rest of the traffic was being PATed to the Public ASA B address so you would need to either exempt the traffic from being translated when it goes from network_siteB to any or remove the PAT config. On the ASA A you need to configure U-turn and PAT to translate the network_siteB subnet to the ASA A public IP address. Make sure the interesting traffic on ASA A is from any to network_siteB as well.

regards,

0 Helpful

decryptinfo
Level 1
Level 1
In response to Gustavo Medina

‎07-20-2011 01:53 AM

Thanks for info.

I removed the PAT config of ASA B. However this does not work.

For Site B, I have not internet. It's good start !

the traffic passed through not the tunnel.

I attached config Site A and config Site B.

103507-site_A.txt.zip
0 Helpful

Gustavo Medina
Cisco Employee
Cisco Employee
In response to decryptinfo

‎07-20-2011 09:13 AM

Hi,

On site_B the config looks good however on the attached config for site A there is relevant information missing, what does the DECRYPTINFO object contain? The ACL for that tunnel on Site A should be:

access-list outside_cryptomap_2 extended permit ip any object NTEWORK_SITEB

The NAT is not properly configured either, try this:

object network obj_any

nat (any,outside) dynamic interface

And make sure you have this command:

same-security-traffic permit intra-interface

Regards,

0 Helpful

decryptinfo
Level 1
Level 1
In response to Gustavo Medina

‎07-25-2011 12:30 AM

Ok,

I will test this.

Regards

0 Helpful

decryptinfo
Level 1
Level 1
In response to Gustavo Medina

‎07-25-2011 02:30 AM

I  changed the NAT "obj_any" however this does not work.

I simplified the attachement configuration files.

that is strange it does not work.

Regards

110441-site_B.txt.zip
0 Helpful

Gustavo Medina
Cisco Employee
Cisco Employee
In response to decryptinfo

‎07-25-2011 08:40 AM

Hello,

You still have the PAT configuration on Site B:

object network obj_any

nat (any,outside) dynamic interface object network obj_any
nat (any,outside) dynamic interface

Regards,

0 Helpful

decryptinfo
Level 1
Level 1
In response to Gustavo Medina

‎07-26-2011 12:44 AM

Hello,

Excuse me, the PAT configuration does not exist. It was to have internet ( for send mail).

Regards.

0 Helpful
Customers Also Viewed These Support Documents