Internet through VPN Lan-2-Lan

jose cortes · ‎08-12-2011

Hi everybody, I have this customer who has two sites the HQ and a Branch office. The customer has a VPN tunnel connection the two offices, the branch office use the DNS located at the HQ. Now the customer bought a Barracuda Webfilter and wants to push the internet access from the Branch Office to pass through it. In order to do this I think I have to change the tunnel behavior because the branch office will have the internet access using the HQ's internet connection. The VPN ACLs are these:

HQ (LAN: 172.16.16.0/24)

access-list NO-NAT extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0 (bypass the nat process)

access-list ENCRYPTED extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0 (Interesting Traffic)

BRANCH (LAN: 172.16.17.0/24)

access-list NO-NAT extended permit ip 172.16.17.0 255.255.255.0 172.16.16.0 255.255.255.0 (bypass the nat process)

access-list ENCRYPTED extended permit ip 172.16.17.0 255.255.255.0 172.16.16.0 255.255.255.0 (Interesting Traffic)

I belive the configuration to route all the internet traffic form the BRANCH though the VPN tunnel and then outside using the HQ internet connection could be done using these configurations:

HQ:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list NO-NAT extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0

access-list NO-NAT extended permit ip any 172.16.17.0 255.255.255.0

access-list TRAFFIC-ENCRYPTED extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0

access-list TRAFFIC-ENCRYPTED extended permit ip any 172.16.17.0 255.255.255.0

BRANCH

access-list NO-NAT extended permit ip 172.16.17.0 255.255.255.0 172.16.16.0 255.255.255.0

access-list NO-NAT extended permit ip 172.16.17.0 255.255.255.0 any

access-list TRAFFIC-ENCRYPTED extended permit ip 172.16.17.0 255.255.255.0 172.16.16.0 255.255.255.0

access-list TRAFFIC-ENCRYPTED extended permit ip 172.16.17.0 255.255.255.0 any

Because the network is on production I have no chance to test this until the customer authorize a Maintenace window.

Could or couldn't this work??

am I missing something??

Regards

Jennifer Halim · ‎08-13-2011

Question to ask is how is the Barracuda being configured? is it in explicit mode or in transparent mode?

If the Barracuda is configured in explicit mode, then the traffic flow from branch office will be as follows:

Branch Office --> Barracuda IP Address --> out towards the Internet via HQ

(In this instance, there will be no requirement to have NO-NAT and TRAFFIC-ENCRYPTED with the "any" keyword). I am also assuming that the Barracuda will proxy the web traffic towards the internet? or would the web traffic be forwarded to the internet with the branch office PC ip address?

If the Barracuda is configured in transparent mode, then the NO-NAT and TRAFFIC-ENCRYPTED needs to be configured with the "any" keyword as per your config above.

Also depending on how Barracuda works, whether web traffic is proxied from the Barracuda ip address or the PC own internal ip address, then you would also need to configure the appropriate NATing on the HQ for the Branch office subnet before being routed towards the internet.

jose cortes · ‎08-14-2011

Hi, thanks for your reply. The barracuda as i know is working in transparent mode and al the traffic is NATed through the HQ's ASA. Then follow your advice i will use the configuration with the "any" option and i will let you know

Thanks

Jose

Jennifer Halim · ‎08-14-2011

Cheers,... let us know how it goes.