main site: Cisco ASA 5520
internal interface: 172.16.4.0/255.255.252.0
internal core switch/gateway IP: 172.16.4.1
external interface IP : 220.127.116.11
The core switch knows to send all internet-bound and VPN-bound traffic to the 'inside' interface that the ASA 5520 resides on.
remote site: Cisco 861 Router
internal interface: 172.16.54.0/255.255.255.19
external interface ip: 18.104.22.168
See attached running-config for more details.
We recently needed to update our existing site-to-site VPN configuration to push ALL traffic from the remote through the tunnel, not just traffic bound for the main site. We needed internet traffic from the remote site to flow through the web filtering appliance at our main site.
I was able to get traffic flowing through by removing all NATing on the remote site router, and configuring a default tunnel gateway on the main site's ASA.
Traffic would get routed OUT to the internet properly, but the return traffic would not get pushed back through the tunnel.
I called Cisco and they had me add the following two static routes:
route outside 172.16.54.0 255.255.255.192 22.214.171.124 1
route inside 172.16.54.0 255.255.255.0 172.16.4.1 1
This solved the issue.
How did this solve the issue? What is going on with packet routing that makes this work? To me, having a route that specifies to send packets destined for the remote site from the 'outside' interface back to the ISP gateway address wouldn't work...
ASA Running config is attached.