Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
457
Views
0
Helpful
3
Replies

Route Traffic from Branch To HQ

ludo.vandenbosch
Level 1
Level 1

‎07-09-2015 03:39 AM

Hi,

 

I Have a ASA 5505 in a branch office and a 5512-X in HQ. There is a VPN ikev1 tunnel between them that works fine.
How do I route all the traffic from branch over the vpn to HQ and use there internet breakout ?

The reason is because the 5512-X has sourcefire and has to filter alle the traffic.

Branch (v9.2)

#ACL VPN
access-list acl_vpn_list extended permit ip object net-lan object net-cen-lan
!
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set FirstSet esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map abcmap 1 match address acl_vpn_list
crypto map abcmap 1 set peer x.x.x.x
crypto map abcmap 1 set ikev1 transform-set FirstSet
crypto map abcmap interface isp1
!
crypto ikev1 enable isp1
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 43200
!
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 ikev1 pre-shared-key xxxx
#NO NAT
nat (lan,isp1) source static net-lan net-lan destination static net-cen-lan net-cen-lan no-proxy-arp route-lookup

HQ(v9.4)

!
#ACL VPN
access-list acl_vpn_list extended permit ip object-group CENTRAAL object-group ZOERSEL
!
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set FirstSet esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map abcmap 1 match address acl_vpn_list
crypto map abcmap 1 set peer x.x.x.x
crypto map abcmap 1 set ikev1 transform-set FirstSet
crypto map abcmap interface isp1
!
crypto ikev1 enable isp1
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 43200
!
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 ikev1 pre-shared-key xxxx
#NO NAT
nat (lan,isp1) source static net-lan net-lan destination static net-zrl-lan net-zrl-lan no-proxy-arp route-lookup
!

Labels:
0 Helpful
3 Replies 3

Puneesh Chhabra
Cisco Employee
Cisco Employee

‎07-09-2015 04:59 AM

In the crypto ACL, you'd have to use any keyword

Branch:

access-list acl_vpn_list extended permit ip object net-lan any

HQ:

access-list acl_vpn_list extended permit ip any object-group ZOERSEL

 

Change NAT exempts accordingly

Also, hairpinning on the HQ would be required to allow internet access for Branch users

Let me know if you need help on config

 

Regards,

Puneesh

If you find the answer helpful, please mark it as correct so others can benefit from the discussion.

0 Helpful

ludo.vandenbosch
Level 1
Level 1
In response to Puneesh Chhabra

‎07-09-2015 05:32 AM

Thx for the answer. What do you meen by changing nat exempt? Do you mean the no nat  ? And Hairpining on HQ

0 Helpful

Puneesh Chhabra
Cisco Employee
Cisco Employee
In response to ludo.vandenbosch

‎07-09-2015 07:17 AM

Here's a sample config:

 

Branch office:

 

NAT Exempt:

nat (lan,isp1) source static net-lan net-lan destination static obj-any obj-any

 

HQ:

NAT Exempt:  

nat (lan,isp1) source static obj-any obj-any destination static net-zrl-lan net-zrl-lan    (you will have to configure these object networks if not configured yet)

 

Hairpinning on HQ:

object network net-lan     (Branch office network)

nat (isp1,isp1) dynamic interface

same security traffic permit intra-interface

 

Regards,

Puneesh

If you find the answer helpful, please mark it as correct so others can benefit from the discussion.

0 Helpful
Customers Also Viewed These Support Documents