08-12-2011 08:15 AM
Hi everybody, I have this customer who has two sites the HQ and a Branch office. The customer has a VPN tunnel connection the two offices, the branch office use the DNS located at the HQ. Now the customer bought a Barracuda Webfilter and wants to push the internet access from the Branch Office to pass through it. In order to do this I think I have to change the tunnel behavior because the branch office will have the internet access using the HQ's internet connection. The VPN ACLs are these:
HQ (LAN: 172.16.16.0/24)
access-list NO-NAT extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0 (bypass the nat process)
access-list ENCRYPTED extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0 (Interesting Traffic)
BRANCH (LAN: 172.16.17.0/24)
access-list NO-NAT extended permit ip 172.16.17.0 255.255.255.0 172.16.16.0 255.255.255.0 (bypass the nat process)
access-list ENCRYPTED extended permit ip 172.16.17.0 255.255.255.0 172.16.16.0 255.255.255.0 (Interesting Traffic)
I belive the configuration to route all the internet traffic form the BRANCH though the VPN tunnel and then outside using the HQ internet connection could be done using these configurations:
HQ:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list NO-NAT extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0
access-list NO-NAT extended permit ip any 172.16.17.0 255.255.255.0
access-list TRAFFIC-ENCRYPTED extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0
access-list TRAFFIC-ENCRYPTED extended permit ip any 172.16.17.0 255.255.255.0
BRANCH
access-list NO-NAT extended permit ip 172.16.17.0 255.255.255.0 172.16.16.0 255.255.255.0
access-list NO-NAT extended permit ip 172.16.17.0 255.255.255.0 any
access-list TRAFFIC-ENCRYPTED extended permit ip 172.16.17.0 255.255.255.0 172.16.16.0 255.255.255.0
access-list TRAFFIC-ENCRYPTED extended permit ip 172.16.17.0 255.255.255.0 any
Because the network is on production I have no chance to test this until the customer authorize a Maintenace window.
Could or couldn't this work??
am I missing something??
Regards
08-13-2011 02:49 AM
Question to ask is how is the Barracuda being configured? is it in explicit mode or in transparent mode?
If the Barracuda is configured in explicit mode, then the traffic flow from branch office will be as follows:
Branch Office --> Barracuda IP Address --> out towards the Internet via HQ
(In this instance, there will be no requirement to have NO-NAT and TRAFFIC-ENCRYPTED with the "any" keyword). I am also assuming that the Barracuda will proxy the web traffic towards the internet? or would the web traffic be forwarded to the internet with the branch office PC ip address?
If the Barracuda is configured in transparent mode, then the NO-NAT and TRAFFIC-ENCRYPTED needs to be configured with the "any" keyword as per your config above.
Also depending on how Barracuda works, whether web traffic is proxied from the Barracuda ip address or the PC own internal ip address, then you would also need to configure the appropriate NATing on the HQ for the Branch office subnet before being routed towards the internet.
08-14-2011 06:44 PM
Hi, thanks for your reply. The barracuda as i know is working in transparent mode and al the traffic is NATed through the HQ's ASA. Then follow your advice i will use the configuration with the "any" option and i will let you know
Thanks
Jose
08-14-2011 08:13 PM
Cheers,... let us know how it goes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide