Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3103
Views
10
Helpful
5
Replies

site-to-site VPN tunnel all traffic and going out through different interface

david.suntama
Level 1
Level 1

‎07-18-2016 07:31 PM

Hi All,

I would like is it possible to have our Branch A site-to-site IPSec tunnel to HQ ISP 1.

All the traffic including the internet traffic from Branch A will have to go through IPSec tunnel to HQ, however in this case all the internet traffic at HQ is going through ISP 2

So the internet traffic for Branch A is also have to go through ISP 2 at HQ

Is this possible ?

If so, how would the config looks like ?

Thanks

 

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Dina Odeh
Level 1
Level 1

‎07-18-2016 10:22 PM

[@david.suntama]  

Yes, you can achieve that. 

Lets focus first on the HQ ASA. Do you have IP SLA configured there ? Is ISP2 the primary there ? 

On Brach A ASA, there should be a PAT statement for users when they go to internet. So 10.2.2.0/24 will be Patted to Brach A ASA public IP. For example lets say 1.1.1.1 

You can put now in the crypto MAP ACL that any traffic from 1.1.1.1 to any will go through the tunnel. NAT is checked before crypto ACL :) 

Now, when the internet traffic will reach HQ ASA, the routing table will send the traffic through ISP 2. So on Branch A ASA you have to say in the crypto map ACL, that anything from internet going to 1.1.1.1 should go through the tunnel. 

david.suntama
Level 1
Level 1
In response to Dina Odeh

‎07-18-2016 10:48 PM

Thanks Dina,

Yes on the HQ ASA will have IP SLA, ISP2 is the primary default route except the Public IP of Branch A which will routed through ISP1 with metric 1.

Understand on the Branch A ASA for the PAT, how about on HQ ASA ? what should we do for the config on this HQ ASA ? is there any NAT required ?

0 Helpful

Dina Odeh
Level 1
Level 1
In response to david.suntama

‎07-18-2016 10:52 PM

Okay, so you need Branch A internet traffic to go to ISP1. You can configure Policy Based Routing on HQ ASA that will route any traffic from Branch A public A to ISP1. 

No Nat is needed on HQ ASA, because traffic from Branch A will have public IP for both source and destination. 

But if you would like to PAT it to ISP1 public IP then no issue with that. 

david.suntama
Level 1
Level 1
In response to Dina Odeh

‎07-18-2016 11:00 PM

So can I assume as follow when creating the IPSec tunnel

HQ

crypto local address 0.0.0.0 0.0.0.0 (any)

remote address 10.2.2.0/24 

Branch A

crypto local address 10.2.2.0/24

remote address 0.0.0.0 0.0.0.0 (any)

Do you mind to share the command config looks like for

"On Brach A ASA, there should be a PAT statement for users when they go to internet. So 10.2.2.0/24 will be Patted to Brach A ASA public IP. For example lets say 1.1.1.1 

You can put now in the crypto MAP ACL that any traffic from 1.1.1.1 to any will go through the tunnel. NAT is checked before crypto ACL " ?

0 Helpful

Dina Odeh
Level 1
Level 1
In response to david.suntama

‎07-18-2016 11:12 PM

Hi David, 

Yes you can share the config. 

To allow the local subnets to communicate together first, you need to have these config: 

HQ: 

Local subnet : 10.1.1.0/24

Remote subnet: 10.2.2.0/24 

Put a NAT exempt for them 

Branch A: 

Local subnet: 10.2.2.0/24

Remote subnet: 10.1.1.0/24

Put a NAT exempt also for them.

Now, for Internet traffic: 

HQ: 

Local subnet : 0.0.0.0/0 ((any)) 

Remote subnet: Branch A public IP. 

No need for NAT here. 

Branch A: 

Local Subnet: ASA public IP

Remote subnet: 0.0.0.0/0 "any" 

You need to have a PAT here for the Internet. 

0 Helpful
Customers Also Viewed These Support Documents