cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1349
Views
0
Helpful
5
Replies

Send All Traffic Through Firepower Site to Site VPN

Scott_22
Level 1
Level 1

We are staging a new branch office using an ASA 5508 running Firepower code. Our goal for this site is to tunnel ALL traffic, including traffic destined for the internet through the VPN. Saying this, what does the ACE within the ACP need to look like? I'm assuming that it must have a destination of Any. I know the extended ACL identifies traffic based on source to determine what to encrypt. After the crypto ACL is matched, then the traffic must be matched by the ACP, correct? We can't leave it as only the default block rule is my understanding with this configuration. 

5 Replies 5

Hi @Scott_22 

Yes the crypto ACL identifying the interesting traffic would need to have "any", as would the ACP to permit the traffic.

You would also need a NAT rule on the main site from source "outside" to destination "outside" as the VPN traffic would originate from the outside interface.

 

HTH

That was my next question - if all traffic is flowing through the VPN tunnel, is a PAT rule needed to translate the traffic? The PAT rule would instead on our external router at the location where the VPN terminates. 

Yes, you'll need a PAT rule for internet traffic for the remote sites configured on the main firewall. You'll also need a NAT exemption rule between the remote sites and the main site networks.

Okay, so it will be like this

 

Remote Firewall

-ACE in ACP allowing all traffic

-NAT exception rule - Is a NAT rule needed at all in this case since traffic will be encapsulated?

-Extended ACL allowing all traffic and attached to VPN config

 

HUB Firewall

- Inbound ACE allowing any to destination resources

- Outbound ACE allowing remote vpn subnet to any (internet) 

- The above aces are differ in their zones so the outbound ace will not allow all traffic

- when the traffic comes from the remote vpn and is destined for the internet, it will be decrypted and the default route and outbound acl will be used. 

NAT exemption rule will be on the hub firewall, the remote firewall is unlikely to have nat configured if all traffic is tunnelled to the hub.