• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 573
  • Last Modified:

How to Tunnel all traffic over site-to-site tunnel using Cisco ASA's

I have several branch offices connected via VPN tunnels using Cisco ASA's. I can easily get inside traffic across the tunnel, but cannot figure out how to get internet traffic from the branch site to come over the tunnel and out a seperate firewall at the corporate site.

My goal is for the ASA at the branch site (firewall A) to send ALL traffic from the internal branch network over the tunnel to Firewall B at the corporate site. I then want Firewall B to send all internet bound traffic to a different firewall in the corporate network (firewall C).
0
RustyZ32
Asked:
RustyZ32
  • 7
  • 7
1 Solution
 
JFrederick29Commented:
Change the tunnel source on Firewall B to "any" and the tunnel destination to "any" on the Firewall A in the crypto access-list (tunnel interesting traffic list).

Also, add the following tunneled default route to Firewall B:

route inside 0.0.0.0 0.0.0.0 <firewall C inside IP> tunneled

Firewall C will need to have NAT setup to NAT the remote IP addresses when destined to the Internet.
0
 
RustyZ32Author Commented:
Will I also need a static route to send traffic destined for Firewall B's outside IP to Firewall A's ISP gateway?

or do I just leave the current default route (0.0.0.0 0.0.0.0 ISPGATEWAY)

0
 
JFrederick29Commented:
Nope, leave the current default route the same on Firewall A.

Forgot one thing, Firewall C will need a route to the VPN subnets via Firewall B's inside interface IP address.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
RustyZ32Author Commented:
I tried this but it is still going out the firewall A for internet.

On firewall A i added a nat exemption from the branch network to any. this just cut off internet access all together.

do i need to put a tunneled route on firewall a?
0
 
JFrederick29Commented:
Yeah, the nat exemption to any is required also.  Can you post a "show cry ipsec sa" from Firewall A to verify the tunnel policy is correct.  Did you add the tunneled default to Firewall B and verify Firewall C has a route back to the VPN subnet via Firewall B and also is setup to NAT the Firewall A LAN traffic?
0
 
RustyZ32Author Commented:
Firewall C is set to NAT everything unless exempted. This worked for the same subnet when I previously routed all the traffic over a seperate MPLS network.

here is the show crytp from firewall a (peer changed to 999).

Dont I also need a NAT exemption from on firewall B for source any destination branch office?

interface: outside
    Crypto map tag: crypto_map, seq num: 23, local addr: 192.168.254.253

      access-list outside_23_cryptomap permit ip 10.23.0.0 255.255.0.0 any
      local ident (addr/mask/prot/port): (10.23.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 999.999.999.999

      #pkts encaps: 3740, #pkts encrypt: 3740, #pkts digest: 3740
      #pkts decaps: 3927, #pkts decrypt: 3927, #pkts verify: 3927
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3740, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.254.253, remote crypto endpt.: 999.999.999.999

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: BF838F70

    inbound esp sas:
      spi: 0xD7EA7D52 (3622468946)
         transform: esp-aes-256 esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 184320, crypto-map: crypto_map
         sa timing: remaining key lifetime (kB/sec): (4372945/27108)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xBF838F70 (3213070192)
         transform: esp-aes-256 esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 184320, crypto-map: crypto_map
         sa timing: remaining key lifetime (kB/sec): (4373415/27108)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
0
 
JFrederick29Commented:
Yes, you need NAT exemption on both ends.
0
 
RustyZ32Author Commented:
I tried with both nat exemptions, same problem. I probably need to stop cutting them on and off and wait until tonight to troubleshoot further.
0
 
JFrederick29Commented:
Firewall C has a route to 10.23.0.0/16 via Firewall B's inside interface, right?  Firewall B has the tunneled default route via Firewall C's inside interface, right?
0
 
RustyZ32Author Commented:
yes, thats right.

firewall A:
tunnel acl permitting 10.23.0.0 255.255.0.0 to any
route outside 0.0.0.0 0.0.0.0 ISP

Firewall b:
tunnel acl permitting any to 10.23.0.0 255.255.0.0
route inside 0.0.0.0 0.0.0.0 firewallC tunneled

Firewall c:
route inside 10.23.0.0 255.255.0.0 firewallb


and of course the nat exemptions on A and B when i tried.
0
 
JFrederick29Commented:
Hmm, sounds good.

Are you allowing the IPSEC traffic to bypass the outside access-list or are you filtering VPN traffic on Firewall B?  Does Firewall C have an access-list on the inside interface restricting traffic?  When you try again, check the connection logs on Firewall C to see if you see the 10.23.0.0/16 traffic hitting the Firewall.

What are the clients using for DNS resolution?  Internal DNS servers or Firewall A's ISP's DNS servers?
0
 
RustyZ32Author Commented:
I owe you an apology, Misspelled the new ACL entry for the nat exemption on firewall b.

added the correct ACL and it works great!


thank you!
0
 
RustyZ32Author Commented:
from comment below:

also need nat exemptions on firewall B and A.
0
 
JFrederick29Commented:
Excellent.  Glad to hear!
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now