Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1022
Views
0
Helpful
6
Replies

Point Remote VPN users to different internal ASA

Go to solution
Travis-Fleming
Level 1
Level 1

‎09-23-2021 01:09 PM

Hello there,

I have the below basic network diagram. We have two ASA firewalls, both newer 5500 models. One has Firepower Module and is used for our internet browsing for the company. The other is simply used as an AnyConnect VPN Concentrator without Firepower.

 

We have a few sites that connect via a site-to-site vpn as well to that VPN firewall using a simple router. The vpn acl on the remote devices said to point all traffic (including internet) over the VPN to our head-end for filtering, so no local internet browsing occurs at the vpn user\device level. This is for those remote router sites only, not AnyConnect (they leverage split-tunnel).

 

Currently those users' internet access is going back out our VPN firewall because that's the default gateway. How can we make remote VPN users that are tunneling all traffic over the VPN send their internet traffic over to the Primary Firewall that has the NGFW capabilities without landing them on the primary firewall for VPN?

 

diagram.jpg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-23-2021 01:15 PM

@Travis-Fleming 

 

You can define a separate default route for tunneled traffic along with the standard default route.

route <if_name> 0.0.0.0 0.0.0.0 <gateway_ip> tunneled

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html

 

So essentially the VPN users traffic would be sent to another next hop, which would then route that traffic out the other firewall.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Travis-Fleming
Level 1
Level 1

‎09-23-2021 01:11 PM

After I posted this the light bulb went off of a route map with the remote router internal LAN as the source, to change the default gateway to the LAN address..but I'll see if anyone else has any other ideas.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎09-23-2021 01:15 PM

@Travis-Fleming 

 

You can define a separate default route for tunneled traffic along with the standard default route.

route <if_name> 0.0.0.0 0.0.0.0 <gateway_ip> tunneled

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html

 

So essentially the VPN users traffic would be sent to another next hop, which would then route that traffic out the other firewall.

0 Helpful

Go to solution
Travis-Fleming
Level 1
Level 1
In response to Rob Ingram

‎09-23-2021 01:16 PM

Thanks Rob, I knew the answer would be simplistic!

0 Helpful

Go to solution
Travis-Fleming
Level 1
Level 1
In response to Rob Ingram

‎09-23-2021 01:31 PM

Well I guess we have that setup already, but I'm not seeing traffic in our Primary firewall for the same destination IP as I'm seeing on the VPN firewall.

 

I see there are no NAT rules on the VPN ASA, but in theory we wouldn't need to NAT them as we have static routes on our core switches for the remote VPN sites.

 

Thoughts?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Travis-Fleming

‎09-24-2021 12:16 AM

@Travis-Fleming can you run packet-tracer from the VPN firewall to confirm the traffic takes the correct path?

Does the Primary FW know to reach the RAVPN IP pool via it's inside interface connected to the core switch?

0 Helpful

Go to solution
Travis-Fleming
Level 1
Level 1
In response to Rob Ingram

‎09-24-2021 06:22 AM

Thanks Rob this lead me to the right answer. The primary FW did not have a route to this particular subnet out it's inside interface. After making that route I started to see their internet traffic on the primary FW like I think I should.

0 Helpful
Customers Also Viewed These Support Documents