cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11698
Views
30
Helpful
21
Replies

Route all traffic over IPsec tunnel.

Jpadams23
Level 1
Level 1

We have 7 remote offices and 10 tower locations that utilize IPsec tunnels back to our HQ. We now want to force all traffic including web surfing through the tunnels. What would be the easiest way to acomplish this? I have tried utilizing the crypto map policy to do this, but was unable to acomplish this.

Each of our office locationss utilize a Cisco 2811 router and the tower locations utilize a Cisco 881.

Any suggestions would be greatly appreciated.

21 Replies 21

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Jonathan,

On the Crypto ACL you need to match all traffic (ip) and do not nat the traffic as well.

That should do it

Regards,

Julio

Do rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

This is what I was using and I could not figure out why it did not work. The HQ network is 192.168.4.0/24 and this remote office is 192.168.24.0/24

crypto map REM_RTR 10 ipsec-isaksmp

description Tunnel to HQ

set peer xx.xx.36.80

set transform-set myset

match address 120

interface fa0/0

crypto map REM_RTR

access-list 120 permit ip any 192.168.4.0 0.0.0.255

access-list 120 permit ip 192.168.4.0 0.0.0.255 any

I am obviously missing something right in front of my face but can not see it.

Hello Jonathan,

So this is the config of the remote site, and you want to send all traffic from .24 on the vpn tunnel.

On the ACL should be.

access-list 120 permit ip 192.168.24.0 255.255.255.0 any

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I have corrected the access-list and when performing a trace route from a local machine it is still dumped out on to the local internet instead of routing through to HQ.

Any suggestions?

Hello Jonathan,

You have a nat 0 rule right?

Can you provide it it should be something similar to this:

nat (inside) 0 access-list vpn

access-list vpn should be:

access-list vpn permit ip 192.168.24.0 255.255.255.0 any

please provide the following:

packet-tracer input inside tcp 192.168.24.20 1025 4.2.2.2 80

Regards,

Julio

Rate helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I actually removed the nat outside and inside statements from the remote router I am trying to acomplish this on. I would rather all nat related things go through our corporate link.

I tried to issue the packet-tracer command and it seems my version of ios does not have that command.

What's your local (client) subnet? I ask because the postings above changed your 3rd octet from .4 to .24.

"packet-tracer" is an ASA command and not available on IOS.

.24 is the remote subnet. .4 is the HQ subnet.

OK, I see that now after re-reading the above. So, on the remote site, your access-list vpn is currently one line as follows:

access-list vpn permit ip 192.168.24.0 255.255.255.0 any

You do need the nat 0 rule there as Julio noted above so as to exempt the remote site's traffic from being NATted.

You VPN is up, yes? (show crypto isakmp sa)

If all the above are confirmed, then please try "show access-list vpn", introduce traffic into the tunnel and repeat the "show" command. You should see the "hitcnt" incrementing

Hello Jonathan and Marvin,

Thanks for that Marvin I forgot we were on a Router, yeap Packet-tracer is not supported on IOS routers.

The ACL should be like:

access-list vpn permit ip 192.168.24.0 0.0.0.255 any

So you will send all traffic over the VPN tunnel, Just to let you know after you make a change to a VPN configuration ( in this case will be a phase 2 change) you need to turn down the tunnel and then re-build it so the peers can negotiate the VPN tunnel with the new setup.

A clear crypto sa peer x.x.x.x ( remote access ip address) should do it.

Regards,

Julio

Do rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ok I will re add the nat inside, outside, and over load and try the nat ACL rule. Let's hope that it works.

Actually I can not utilize the NAT 0 rule. The HQ is a cisco 2811 router not a PIX.

Marvin,

Yes the tunnels are up. I am able to access all networks fine. The only part that is not working is the forcing of internet data across the tunnel.

Hello Jonathan,

So just take out all the nat statements.

You do not need to nat the VPN traffic.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I have removed nat, added the crypto map, and modified the access list. I can browse the remote network but am unable to browse the web. On the HQ router I added permit ip 192.168.24.0 255.255.255.0 any to the nat access list. Any ideas what else I need to change on that router?

The solution is very close!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: