Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
699
Views
0
Helpful
5
Replies

IPsec VPN for Internet use

Muhammad Azhar
Level 1
Level 1

‎01-29-2013 01:06 AM - edited ‎02-21-2020 06:40 PM

Hi All,

I have 20 sites and all sites are connected to Centeral side by MPLS cloude. ( HUB and spoke ) I have configured site to site IPsec on my ASA with branches. All user of branches will use internt throgh Centeral site as Proxy server is placed in Center where all user traffic is filterd. Can you please help how branch user can use internet. what additional configuration will be required.

Thanks.

Javed

Labels:
0 Helpful
5 Replies 5

Andrew Phirsov
Level 7
Level 7

‎01-29-2013 02:12 AM

If, as you said site-to-site vpn connectivity between CO and branches is configured and working, you just have to configure remote office's browsers to use proxy-server on CO. Crypto-ACL on branch-routers should be configured to tunnel all http(s)-related traffic through CO.

0 Helpful

Muhammad Azhar
Level 1
Level 1
In response to Andrew Phirsov

‎01-29-2013 03:41 AM

Andi,

What do you mean by  

"Crypto-ACL on branch-routers should be configured to tunnel all http(s)-related traffic through CO"

Is that mean we just put the proxy address in user browser ?

Let assume my CO have subnets 192.168.1.0/24 , 192.168.2.0/24, and one of my branch have IP 172.16.1.0/24

My ACL on both CO ASA is

access-list NONAT permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list NONAT permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0

and Branch ASA is configured as

access-list NONAT permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list NONAT permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Thanks

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to Muhammad Azhar

‎01-29-2013 05:02 AM

You just have to tunnel all traffic from vpn-peers:

In simpliest way, proxy acl should look just like this

Branch ASA:

access-list VPN_ACL permit ip 172.16.1.0 255.255.255.0 any

CO ASA:

access-list VPN_ACL permit ip any 172.16.1.0 255.255.255.0

With this proxy-acls all your branch traffic will go through central site.

After that you can setup proxy settings on your user's browsers at branches, using proxy server in CO.

0 Helpful

Muhammad Azhar
Level 1
Level 1
In response to Andrew Phirsov

‎01-30-2013 01:10 AM

Thanks Andi,

I have some routing issue at my CO ASA. Attach is Topology diagram and configuration., I have routing issue at my ASA.

Thanks

142311-Config TEMPLT.txt.zip
0 Helpful

Muhammad Azhar
Level 1
Level 1
In response to Muhammad Azhar

‎01-30-2013 01:22 AM

In the abov context all branches user internet traffic should b routed to Proxy , which is located in my LAN. if i use defult route for this on my ASA  ( route inside 0.0.0.0 0.0.0.0 10.11.11.2) for all branches and then proxy again route the traffic to ASA and then internet router , which make some confusion as i already have a defult route on my ASA to internet.

I try it on GNS3 , but still have confusion regarding defult routes for internet.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents