Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1304
Views
0
Helpful
5
Replies

Send All Traffic Through Firepower Site to Site VPN

Scott_22
Level 1
Level 1

‎12-14-2020 06:44 AM

We are staging a new branch office using an ASA 5508 running Firepower code. Our goal for this site is to tunnel ALL traffic, including traffic destined for the internet through the VPN. Saying this, what does the ACE within the ACP need to look like? I'm assuming that it must have a destination of Any. I know the extended ACL identifies traffic based on source to determine what to encrypt. After the crypto ACL is matched, then the traffic must be matched by the ACP, correct? We can't leave it as only the default block rule is my understanding with this configuration. 

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎12-14-2020 06:49 AM

Hi @Scott_22 

Yes the crypto ACL identifying the interesting traffic would need to have "any", as would the ACP to permit the traffic.

You would also need a NAT rule on the main site from source "outside" to destination "outside" as the VPN traffic would originate from the outside interface.

 

HTH

0 Helpful

Scott_22
Level 1
Level 1
In response to Rob Ingram

‎12-14-2020 07:46 AM

That was my next question - if all traffic is flowing through the VPN tunnel, is a PAT rule needed to translate the traffic? The PAT rule would instead on our external router at the location where the VPN terminates. 

0 Helpful

Rob Ingram
VIP
VIP

‎12-14-2020 08:07 AM - edited ‎12-14-2020 08:11 AM

Yes, you'll need a PAT rule for internet traffic for the remote sites configured on the main firewall. You'll also need a NAT exemption rule between the remote sites and the main site networks.

0 Helpful

Scott_22
Level 1
Level 1
In response to Rob Ingram

‎12-14-2020 01:55 PM

Okay, so it will be like this

 

Remote Firewall

-ACE in ACP allowing all traffic

-NAT exception rule - Is a NAT rule needed at all in this case since traffic will be encapsulated?

-Extended ACL allowing all traffic and attached to VPN config

 

HUB Firewall

- Inbound ACE allowing any to destination resources

- Outbound ACE allowing remote vpn subnet to any (internet) 

- The above aces are differ in their zones so the outbound ace will not allow all traffic

- when the traffic comes from the remote vpn and is destined for the internet, it will be decrypted and the default route and outbound acl will be used. 

0 Helpful

Rob Ingram
VIP
VIP

‎12-14-2020 02:03 PM

NAT exemption rule will be on the hub firewall, the remote firewall is unlikely to have nat configured if all traffic is tunnelled to the hub.

0 Helpful
Customers Also Viewed These Support Documents