Link to home
Start Free TrialLog in
Avatar of RustyZ32
RustyZ32Flag for United States of America

asked on

How to Tunnel all traffic over site-to-site tunnel using Cisco ASA's

I have several branch offices connected via VPN tunnels using Cisco ASA's. I can easily get inside traffic across the tunnel, but cannot figure out how to get internet traffic from the branch site to come over the tunnel and out a seperate firewall at the corporate site.

My goal is for the ASA at the branch site (firewall A) to send ALL traffic from the internal branch network over the tunnel to Firewall B at the corporate site. I then want Firewall B to send all internet bound traffic to a different firewall in the corporate network (firewall C).
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of RustyZ32

ASKER

Will I also need a static route to send traffic destined for Firewall B's outside IP to Firewall A's ISP gateway?

or do I just leave the current default route (0.0.0.0 0.0.0.0 ISPGATEWAY)

Nope, leave the current default route the same on Firewall A.

Forgot one thing, Firewall C will need a route to the VPN subnets via Firewall B's inside interface IP address.
I tried this but it is still going out the firewall A for internet.

On firewall A i added a nat exemption from the branch network to any. this just cut off internet access all together.

do i need to put a tunneled route on firewall a?
Yeah, the nat exemption to any is required also.  Can you post a "show cry ipsec sa" from Firewall A to verify the tunnel policy is correct.  Did you add the tunneled default to Firewall B and verify Firewall C has a route back to the VPN subnet via Firewall B and also is setup to NAT the Firewall A LAN traffic?
Firewall C is set to NAT everything unless exempted. This worked for the same subnet when I previously routed all the traffic over a seperate MPLS network.

here is the show crytp from firewall a (peer changed to 999).

Dont I also need a NAT exemption from on firewall B for source any destination branch office?

interface: outside
    Crypto map tag: crypto_map, seq num: 23, local addr: 192.168.254.253

      access-list outside_23_cryptomap permit ip 10.23.0.0 255.255.0.0 any
      local ident (addr/mask/prot/port): (10.23.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 999.999.999.999

      #pkts encaps: 3740, #pkts encrypt: 3740, #pkts digest: 3740
      #pkts decaps: 3927, #pkts decrypt: 3927, #pkts verify: 3927
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3740, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.254.253, remote crypto endpt.: 999.999.999.999

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: BF838F70

    inbound esp sas:
      spi: 0xD7EA7D52 (3622468946)
         transform: esp-aes-256 esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 184320, crypto-map: crypto_map
         sa timing: remaining key lifetime (kB/sec): (4372945/27108)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xBF838F70 (3213070192)
         transform: esp-aes-256 esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 184320, crypto-map: crypto_map
         sa timing: remaining key lifetime (kB/sec): (4373415/27108)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
Yes, you need NAT exemption on both ends.
I tried with both nat exemptions, same problem. I probably need to stop cutting them on and off and wait until tonight to troubleshoot further.
Firewall C has a route to 10.23.0.0/16 via Firewall B's inside interface, right?  Firewall B has the tunneled default route via Firewall C's inside interface, right?
yes, thats right.

firewall A:
tunnel acl permitting 10.23.0.0 255.255.0.0 to any
route outside 0.0.0.0 0.0.0.0 ISP

Firewall b:
tunnel acl permitting any to 10.23.0.0 255.255.0.0
route inside 0.0.0.0 0.0.0.0 firewallC tunneled

Firewall c:
route inside 10.23.0.0 255.255.0.0 firewallb


and of course the nat exemptions on A and B when i tried.
Hmm, sounds good.

Are you allowing the IPSEC traffic to bypass the outside access-list or are you filtering VPN traffic on Firewall B?  Does Firewall C have an access-list on the inside interface restricting traffic?  When you try again, check the connection logs on Firewall C to see if you see the 10.23.0.0/16 traffic hitting the Firewall.

What are the clients using for DNS resolution?  Internal DNS servers or Firewall A's ISP's DNS servers?
I owe you an apology, Misspelled the new ACL entry for the nat exemption on firewall b.

added the correct ACL and it works great!


thank you!
from comment below:

also need nat exemptions on firewall B and A.
Excellent.  Glad to hear!