Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
3
Replies

Routing all traffic over a Lan-to-Lan VPN

yllw98stng
Level 1
Level 1

‎03-07-2013 08:27 AM

We currently have a Headquarters with 10 branch offices. 

Headquarters has an ASA 5510 (8.2.5) and each of the branch offices has an ASA 5505 (8.2.5).

Currently, internet traffic from the branch offices is routed straight out to the internet, while traffic destined for HQ is encrypted over the the VPN tunnel.

We use a Websense v10000 G2 to filter web traffic for our HQ site and the branch offices use Websense Hybrid filtering (a pac file in their browser - cloud based filtering).               

One change we are considering making is to route ALL traffic from the branch offices through our Headquarters to they can also be filtered by the v10000 G2, rather than using the Hybrid Filtering.  The Branch Offices typically have 6Mbps/768Kbps DSL connections.

What are there negative consequences of routing all traffic through our HQ?  HQ has enough bandwidth to accommodate the increased traffic from the branch offices but I was wondering how the branch offices would be affected?  Originally I was thinking that the Branch Office download speeds would essentially be limited to the speeds of their upload speeds because all traffic would be getting sent up to the Branch Office.  After thinking about his more though, I don't think this would actually be the case.  You would lose a little bit of speed due to the encryption, but it shouldn't be that drastic, correct?

Also, what configuration changes would be neccesary to achieve this?  Here is the NAT/Route configuration of one of my branch offices:

crypto map CDEOVPN 35 match address CDEO

crypto map CDEOVPN 35 set peer 24.XX.XX.251

crypto map CDEOVPN 35 set transform-set Main

crypto map CDEOVPN interface outside

access-list CDEO extended permit ip 10.124.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list NoNAT extended permit ip 10.124.0.0 255.255.0.0 10.0.0.0 255.0.0.0

global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 71.X.X.51 1

I considered changing the the CDEO access-list to access-list CDEO extended permit ip 10.124.0.0 255.255.0.0 0.0.0.0 0.0.0.0 but I was afraid that maybe the VPN tunnel wouldn't be able to be established without first adding a deny statement so that traffic destined for the Public IP of our HQ ASA wouldn't try to go over the tunnel?  Would any changes be neccessary to my NAT rules?

Thanks!
Jason

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎03-07-2013 09:23 AM

Hi,

I think you will need to use destination "any" in the

  • ACL defining the tunneled traffic
  • ACL defining the NAT0

To my understanding ACL used in NAT configurations CANT use "deny" statements. Using the "any" in the ACLs shouldnt affect the L2L VPN negotiations.

The simple part of this change would probably be the remote sites

The Central site would on the other hand require atleast

  • You would need to configure Dynamic NAT/PAT source configurations for the remote lans to be able to be NATed/PATed to the central site "outside" IP address
    • global (outside) 1 interface
    • nat (outside) 1
    • nat (outside) 1
  • The above Dynamic NAT/PAT addition would on the other hand require that you would need to configure NAT0 on the "outside" interface for all the remote networks trying to access the Central site networks
    • access-list OUTSIDE-NAT0 remark NAT0 for Remote Sites
    • access-list OUTSIDE-NAT0 permit ip
    • access-list OUTSIDE-NAT0 permit ip
  • You would need to make sure that the Central site ASA permits U-turn of the traffic from "outside" to "outside" with the configuration command for it
    • same-security-traffic permit intra-interface

Your Central site ASA would in this setup be uploading the traffic towards your remote sites that are downloading that data possibly for a web site etc.

I am not sure how exactly the Websense is used and how it fits to your network. It might even be that there is some limitation that will mean that this setup wont work with Websense even though otherwise the traffic will be possible to be forwarded through the Central Site.

To be honest this is not something I have to think that much in my work since we have separate devices for customer VPN and firewall purposes and there is also alot of virtualized environments. This might be something that I could lab with a setup of 2 ASAs connected by L2L VPN as I currently have 2 ASAs at my own use.

Hope the information was helpfull

- Jouni

0 Helpful

yllw98stng
Level 1
Level 1
In response to Jouni Forss

‎03-07-2013 10:15 AM

Thanks for the response Jouni.  It will give me a good starting point and a lot to think about. 

To answer your question about Websense, we currently use WCCP on our core switch to transparently redirect all HQ traffic through the Websense Appliance.  So, somehow I would also need to route that traffic through the core switch, in addition to our HQ ASA.

Jason

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to yllw98stng

‎03-07-2013 10:21 AM

Hi,

I used to wonder a similiar situation regarding the use of WCCP with Cisco Ironport when the redirection is on the "inside" interface of the ASA.

I was wondering if using a Default Route with the "tunneled" parameter (which routes all traffic coming from VPN connections towards that gateway IP address) would permit the traffic to make a turn on the LAN core and come back to the ASA.

I havent tested it (or rather had no possibility to lab) but to my understanding this is not possible. One reason I would presume is the fact that the ASA would see the SYN packets twice. Or something like that.

Wether the ASA TCP State Bypass setting for traffic would help with this I dont know.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents