01-29-2013 01:06 AM - edited 02-21-2020 06:40 PM
Hi All,
I have 20 sites and all sites are connected to Centeral side by MPLS cloude. ( HUB and spoke ) I have configured site to site IPsec on my ASA with branches. All user of branches will use internt throgh Centeral site as Proxy server is placed in Center where all user traffic is filterd. Can you please help how branch user can use internet. what additional configuration will be required.
Thanks.
Javed
01-29-2013 02:12 AM
If, as you said site-to-site vpn connectivity between CO and branches is configured and working, you just have to configure remote office's browsers to use proxy-server on CO. Crypto-ACL on branch-routers should be configured to tunnel all http(s)-related traffic through CO.
01-29-2013 03:41 AM
Andi,
What do you mean by
"Crypto-ACL on branch-routers should be configured to tunnel all http(s)-related traffic through CO"
Is that mean we just put the proxy address in user browser ?
Let assume my CO have subnets 192.168.1.0/24 , 192.168.2.0/24, and one of my branch have IP 172.16.1.0/24
My ACL on both CO ASA is
access-list NONAT permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
and Branch ASA is configured as
access-list NONAT permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Thanks
01-29-2013 05:02 AM
You just have to tunnel all traffic from vpn-peers:
In simpliest way, proxy acl should look just like this
Branch ASA:
access-list VPN_ACL permit ip 172.16.1.0 255.255.255.0 any
CO ASA:
access-list VPN_ACL permit ip any 172.16.1.0 255.255.255.0
With this proxy-acls all your branch traffic will go through central site.
After that you can setup proxy settings on your user's browsers at branches, using proxy server in CO.
01-30-2013 01:10 AM
01-30-2013 01:22 AM
In the abov context all branches user internet traffic should b routed to Proxy , which is located in my LAN. if i use defult route for this on my ASA ( route inside 0.0.0.0 0.0.0.0 10.11.11.2) for all branches and then proxy again route the traffic to ASA and then internet router , which make some confusion as i already have a defult route on my ASA to internet.
I try it on GNS3 , but still have confusion regarding defult routes for internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide