Solved

Cisco ASA VPN - Is there any way to get a remote remote site to pass ALL Traffic across an IPSec VPN so that a central content filter will apply?

Posted on 2014-04-06
3
377 Views
Last Modified: 2014-05-30
Hello,

I have a (2) Site IPSec setup, and I want to get the internet traffic from the remote site to pass to the HUB site so that the content filter at that site processes the traffic from the remote site as well.  

I have done this with IOS VPN's before (GRE over IPSec with the default route pointing to a TUNNEL interface) but I have never found a solution that will let me do this with Cisco ASA's.  Sonicwalls seem to have it covered with the checkbox "Force all traffic to remote site" in the VPN ... I can't imagine that this is not possible with a Cisco ASA, which is supposed to be a superior device and platform.  

Note:  Because of the appliance (Barracuda 410), we cannot use WCCP as an option since the Barracuda will ONLY allow one host to do WCCP.

Thanks!
0
Comment
Question by:jkeegan123
3 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 39982662
Hi,
you haven't fully described your architecture so i'm assuming that you have branch sites connected via vpn with head quarter, and the site-to-site vpns are up and running.

What i usually implement to my customers is a rule on the branch offices which do not let them go out on the internet, by simply setting an access-list on internal interface.
Then i allow branch offices to surf on the internet by using proxy settings in their browsers, where the proxy IP is the Barracuda appliance which is ubicated in the head quarter LAN.

The only way to avoid the need of proxy settings for the branch offices would be to define vlans on the central ASA, and define the same vlans on the barracuda, using virtual ip address on each subnet the barracuda should serve, but it would become really complicated, especially when troubleshooting.
My customers are happy to use proxy for branch offices anyway.

hope this helps
max
0
 
LVL 17

Accepted Solution

by:
MAG03 earned 500 total points
ID: 39990968
You can define in the crypto ACL that the destination is "any".  So basically anything that matches the defined source address will be encrypted and sent over the VPN tunnel.

Just remember to adjust your nat exempt statements to also define a destination of any.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 40032813
@MAG03:  Have you used this to accomplish this task?  This sounds like it would actually work well!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
using BGP Attributes 2 108
Connecting a New Subnet to Network 4 43
Switch ports not working 8 52
Hit router interface limit 7 37
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question