Options
Need help with a ASA config
I have two ASA setup with site to site VPN. Lets call them ASA-HQ and ASA-branch. How can i make ASA-branch send all traffic to ASA-HQ regardless if it's destined for the remote network or the internet?
Comments
-
Options
RouteMyPacket
Member Posts: 1,104
You need to match traffic via an ACL to determine what you want to traverse the L2L VPN.
In your crypto statement on ASA-HQ should be something like
crypto map l2l_vpn 10 match address vpn_to_Branch
crypto map l2l_vpn 10 set peer x.x.x.x
access-list vpn_to_Branch extended permit ip object-group ASA-HQ-SUBNETS object-group ASA-BRANCH-SUBNETS
ASA-HQ Segments
object network VLAN1
subnet 192.168.1.0 255.255.255.0
object network VLAN2
subnet 192.168.2.0 255.255.255.0
object-group network ASA-HQ-SUBNETS
network-object object VLAN1
network-object object VLAN2
ASA-Branch Segments
object network VLAN1
subnet 10.10.1.0 255.255.255.0
object network VLAN2
subnet 10.10.2.0 255.255.255.0
object-group network ASA-BRANCH-SUBNETS
network-object object VLAN1
network-object object VLAN2
*Edit, I see I did it backwards with ASA-HQ instead of your Branch but the same principle remains. Both sides must match regardless.Modularity and Design Simplicity:
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it? -
Options
sizeon
Member Posts: 321
That is how i have the crypto ACL configured.
On my ASA-HQ i have the following: access-list vpn-interesting-traffic permit ip object HQ-SUBNET object BRANCH-SUBNET.
On my ASA-Branch i have the following: access-list vpn-interesting-traffic permit ip object Branch-SUBNET object HQ-SUBNET.
Still not working. -
Optionssizeon
Member Posts: 321
The ASA-Branch traffic for the public internet is not being routed to the ASA-HQ. I want all traffic from ASA-Branch to be routed to ASA-HQ
-
Options
DPG
Member Posts: 780 ■■■■■□□□□□
On the branch, your interesting traffic needs to be "any".
On the HQ, you need to setup a hairpin NAT for the branch traffic to come into the HQ and then back out to the internet. -
Optionssizeon
Member Posts: 321
ok so would it look like this?
Branch: access-list interesting-traffic permit ip any any
HQ: nat (outside,outside)dynamic int
same-security-traffic permit intra-interface -
OptionsDPG
Member Posts: 780 ■■■■■□□□□□
The branch config would be ... permit ip "traffic you want routed to the HQ" any.
HQ config should work. -
Optionssizeon
Member Posts: 321
It doesnt work. I have my ACL as access-list interesting-traffic permit ip LAN any. phase one doesn't even turn up now.
-
Optionseten
Member Posts: 67 ■■□□□□□□□□
Did you modify your HQ crypto ACL "any" to branch?
Did you do NAT exempt on HQ when going from 192.x.x.x to 10.x.x.x ? -
OptionsRouteMyPacket
Member Posts: 1,104
What I find funny is
A. You haven't posted a single config
B. If it's important, why not call TAC?
C. Do you have a network diagram?
D. See AModularity and Design Simplicity:
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it? -
Options
Hondabuff
Member Posts: 667 ■■■□□□□□□□
Open up Cisco Config Pro and use the GUI and the wizard for site to site VPN. Then when it works, tell everyone you did it with the CLI
“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln -
Optionssizeon
Member Posts: 321
The VPN works. But i am trying to route ALL traffic from the branch to HQ. Essentially disabling split tunneling. So ASA1 = HQ ad ASA2=Branch
-
Optionseten
Member Posts: 67 ■■□□□□□□□□
The subnets are defined by your crypto ACL. If your destination IP at your branch location is "any", then it should encrypt all traffic towards your HQ.
Did you remove the NAT statements at your branch ASA?
Post your configs or enable some logging so you can see what is happening. -
OptionsHondabuff
Member Posts: 667 ■■■□□□□□□□
Did you try "ip route 0.0.0.0 0.0.0.0 tunnel 0"“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
-
Options
Zartanasaurus
Member Posts: 2,008 ■■■■■■■■■□
Assuming the tunnel endpoint and internet access on ASA-HQ are the same interface, you'd essentially need something like this at a high level.
ASA-BRANCH VPN = from BRANCH_SUBNETS to ANY
ASA-HQ VPN = from ANY to BRANCH_SUBNETS
ASA-BRANCH route outside 0.0.0.0 0.0.0.0 next hop
ASA-HQ same-security-traffic intra-interfaceCurrently reading:
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8% -
Optionssizeon
Member Posts: 321
I tried that and it broke my vpn tunnel.The subnets are defined by your crypto ACL. If your destination IP at your branch location is "any", then it should encrypt all traffic towards your HQ.
Did you remove the NAT statements at your branch ASA?
Post your configs or enable some logging so you can see what is happening.
