RustyZ32
asked on
How to Tunnel all traffic over site-to-site tunnel using Cisco ASA's
I have several branch offices connected via VPN tunnels using Cisco ASA's. I can easily get inside traffic across the tunnel, but cannot figure out how to get internet traffic from the branch site to come over the tunnel and out a seperate firewall at the corporate site.
My goal is for the ASA at the branch site (firewall A) to send ALL traffic from the internal branch network over the tunnel to Firewall B at the corporate site. I then want Firewall B to send all internet bound traffic to a different firewall in the corporate network (firewall C).
My goal is for the ASA at the branch site (firewall A) to send ALL traffic from the internal branch network over the tunnel to Firewall B at the corporate site. I then want Firewall B to send all internet bound traffic to a different firewall in the corporate network (firewall C).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Nope, leave the current default route the same on Firewall A.
Forgot one thing, Firewall C will need a route to the VPN subnets via Firewall B's inside interface IP address.
Forgot one thing, Firewall C will need a route to the VPN subnets via Firewall B's inside interface IP address.
ASKER
I tried this but it is still going out the firewall A for internet.
On firewall A i added a nat exemption from the branch network to any. this just cut off internet access all together.
do i need to put a tunneled route on firewall a?
On firewall A i added a nat exemption from the branch network to any. this just cut off internet access all together.
do i need to put a tunneled route on firewall a?
Yeah, the nat exemption to any is required also. Can you post a "show cry ipsec sa" from Firewall A to verify the tunnel policy is correct. Did you add the tunneled default to Firewall B and verify Firewall C has a route back to the VPN subnet via Firewall B and also is setup to NAT the Firewall A LAN traffic?
ASKER
Firewall C is set to NAT everything unless exempted. This worked for the same subnet when I previously routed all the traffic over a seperate MPLS network.
here is the show crytp from firewall a (peer changed to 999).
Dont I also need a NAT exemption from on firewall B for source any destination branch office?
interface: outside
Crypto map tag: crypto_map, seq num: 23, local addr: 192.168.254.253
access-list outside_23_cryptomap permit ip 10.23.0.0 255.255.0.0 any
local ident (addr/mask/prot/port): (10.23.0.0/255.255.0.0/0/0 )
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 999.999.999.999
#pkts encaps: 3740, #pkts encrypt: 3740, #pkts digest: 3740
#pkts decaps: 3927, #pkts decrypt: 3927, #pkts verify: 3927
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3740, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.254.253, remote crypto endpt.: 999.999.999.999
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: BF838F70
inbound esp sas:
spi: 0xD7EA7D52 (3622468946)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 184320, crypto-map: crypto_map
sa timing: remaining key lifetime (kB/sec): (4372945/27108)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xBF838F70 (3213070192)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 184320, crypto-map: crypto_map
sa timing: remaining key lifetime (kB/sec): (4373415/27108)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
here is the show crytp from firewall a (peer changed to 999).
Dont I also need a NAT exemption from on firewall B for source any destination branch office?
interface: outside
Crypto map tag: crypto_map, seq num: 23, local addr: 192.168.254.253
access-list outside_23_cryptomap permit ip 10.23.0.0 255.255.0.0 any
local ident (addr/mask/prot/port): (10.23.0.0/255.255.0.0/0/0
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 999.999.999.999
#pkts encaps: 3740, #pkts encrypt: 3740, #pkts digest: 3740
#pkts decaps: 3927, #pkts decrypt: 3927, #pkts verify: 3927
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3740, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.254.253, remote crypto endpt.: 999.999.999.999
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: BF838F70
inbound esp sas:
spi: 0xD7EA7D52 (3622468946)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 184320, crypto-map: crypto_map
sa timing: remaining key lifetime (kB/sec): (4372945/27108)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xBF838F70 (3213070192)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 184320, crypto-map: crypto_map
sa timing: remaining key lifetime (kB/sec): (4373415/27108)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Yes, you need NAT exemption on both ends.
ASKER
I tried with both nat exemptions, same problem. I probably need to stop cutting them on and off and wait until tonight to troubleshoot further.
Firewall C has a route to 10.23.0.0/16 via Firewall B's inside interface, right? Firewall B has the tunneled default route via Firewall C's inside interface, right?
ASKER
yes, thats right.
firewall A:
tunnel acl permitting 10.23.0.0 255.255.0.0 to any
route outside 0.0.0.0 0.0.0.0 ISP
Firewall b:
tunnel acl permitting any to 10.23.0.0 255.255.0.0
route inside 0.0.0.0 0.0.0.0 firewallC tunneled
Firewall c:
route inside 10.23.0.0 255.255.0.0 firewallb
and of course the nat exemptions on A and B when i tried.
firewall A:
tunnel acl permitting 10.23.0.0 255.255.0.0 to any
route outside 0.0.0.0 0.0.0.0 ISP
Firewall b:
tunnel acl permitting any to 10.23.0.0 255.255.0.0
route inside 0.0.0.0 0.0.0.0 firewallC tunneled
Firewall c:
route inside 10.23.0.0 255.255.0.0 firewallb
and of course the nat exemptions on A and B when i tried.
Hmm, sounds good.
Are you allowing the IPSEC traffic to bypass the outside access-list or are you filtering VPN traffic on Firewall B? Does Firewall C have an access-list on the inside interface restricting traffic? When you try again, check the connection logs on Firewall C to see if you see the 10.23.0.0/16 traffic hitting the Firewall.
What are the clients using for DNS resolution? Internal DNS servers or Firewall A's ISP's DNS servers?
Are you allowing the IPSEC traffic to bypass the outside access-list or are you filtering VPN traffic on Firewall B? Does Firewall C have an access-list on the inside interface restricting traffic? When you try again, check the connection logs on Firewall C to see if you see the 10.23.0.0/16 traffic hitting the Firewall.
What are the clients using for DNS resolution? Internal DNS servers or Firewall A's ISP's DNS servers?
ASKER
I owe you an apology, Misspelled the new ACL entry for the nat exemption on firewall b.
added the correct ACL and it works great!
thank you!
added the correct ACL and it works great!
thank you!
ASKER
from comment below:
also need nat exemptions on firewall B and A.
also need nat exemptions on firewall B and A.
Excellent. Glad to hear!
ASKER
or do I just leave the current default route (0.0.0.0 0.0.0.0 ISPGATEWAY)