Site to site VPN and internet traffic

HidealPartners · ‎11-26-2014

Hi All,

I've got two sites connected through a site to site vpn. Everything is working fine but i would like to pass all the internet traffic (www mostly) from the asa in the main office instead using the branch office internet.

The internal network in main office (site A) is 172.17.0.0/16 and in the branch office (site B) is 172.18.0.0/16

Can you please help?

Thank you!

Karsten Iwen · ‎11-26-2014

Instead of reconfiguring your VPN, have you thought about setting up a proxy server in the main office and use that for at least the surf traffic?

For reconfiguring the VPN, you need to

change the instresting traffic:
branch -> main: permit ip BRANCH any
main -> branch: permit ip any BRANCH
configure same-security-traffic intra-interface
configure NAT/PAT for (outside,outside)

HidealPartners · ‎11-26-2014

Hi Karsten,

Thanks, that would be at the end of the project, but right now I cannot do this.

Can you please explain better? I'm not very familiar with crypto maps ...

Thanks!

Karsten Iwen · ‎11-27-2014

More on crypto-maps (and the used IPsec VPNs in general) can be found in the config-guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_ike.html#wp1052135

First start with a "show run crypto map". There you find a "match address". In this ACL you need to change the definition to the above mentioned.

Although it won't work without step 2) and 3), you can see the new VPN tunnel with "show vpn-sessiondb det l2l".