nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Need help with a ASA config

sizeon

I have two ASA setup with site to site VPN. Lets call them ASA-HQ and ASA-branch. How can i make ASA-branch send all traffic to ASA-HQ regardless if it's destined for the remote network or the internet?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

RouteMyPacket

You need to match traffic via an ACL to determine what you want to traverse the L2L VPN.

In your crypto statement on ASA-HQ should be something like

crypto map l2l_vpn 10 match address vpn_to_Branch
crypto map l2l_vpn 10 set peer x.x.x.x

access-list vpn_to_Branch extended permit ip object-group ASA-HQ-SUBNETS object-group ASA-BRANCH-SUBNETS

ASA-HQ Segments

object network VLAN1
subnet 192.168.1.0 255.255.255.0

object network VLAN2
subnet 192.168.2.0 255.255.255.0

object-group network ASA-HQ-SUBNETS
network-object object VLAN1
network-object object VLAN2

ASA-Branch Segments

object network VLAN1
subnet 10.10.1.0 255.255.255.0

object network VLAN2
subnet 10.10.2.0 255.255.255.0

object-group network ASA-BRANCH-SUBNETS
network-object object VLAN1
network-object object VLAN2

*Edit, I see I did it backwards with ASA-HQ instead of your Branch but the same principle remains. Both sides must match regardless.

sizeon

That is how i have the crypto ACL configured.
On my ASA-HQ i have the following: access-list vpn-interesting-traffic permit ip object HQ-SUBNET object BRANCH-SUBNET.

On my ASA-Branch i have the following: access-list vpn-interesting-traffic permit ip object Branch-SUBNET object HQ-SUBNET.

Still not working.

DPG

Which part isn't working?

sizeon

The ASA-Branch traffic for the public internet is not being routed to the ASA-HQ. I want all traffic from ASA-Branch to be routed to ASA-HQ

DPG

On the branch, your interesting traffic needs to be "any".
On the HQ, you need to setup a hairpin NAT for the branch traffic to come into the HQ and then back out to the internet.

sizeon

ok so would it look like this?

Branch: access-list interesting-traffic permit ip any any
HQ: nat (outside,outside)dynamic int
same-security-traffic permit intra-interface

DPG

The branch config would be ... permit ip "traffic you want routed to the HQ" any.
HQ config should work.

sizeon

It doesnt work. I have my ACL as access-list interesting-traffic permit ip LAN any. phase one doesn't even turn up now.

sizeon

Is there any other way to do this without hairpinning?

eten

Did you modify your HQ crypto ACL "any" to branch?

Did you do NAT exempt on HQ when going from 192.x.x.x to 10.x.x.x ?

sizeon

Yes i did. It totally broke the VPN tunnel.

RouteMyPacket

What I find funny is

A. You haven't posted a single config
B. If it's important, why not call TAC?
C. Do you have a network diagram?
D. See A

Hondabuff

Open up Cisco Config Pro and use the GUI and the wizard for site to site VPN. Then when it works, tell everyone you did it with the CLI

sizeon

The VPN works. But i am trying to route ALL traffic from the branch to HQ. Essentially disabling split tunneling. So ASA1 = HQ ad ASA2=Branch

asa.jpg

eten

The subnets are defined by your crypto ACL. If your destination IP at your branch location is "any", then it should encrypt all traffic towards your HQ.

Did you remove the NAT statements at your branch ASA?

Post your configs or enable some logging so you can see what is happening.

Hondabuff

Did you try "ip route 0.0.0.0 0.0.0.0 tunnel 0"

eten

Hondabuff wrote: »

Did you try "ip route 0.0.0.0 0.0.0.0 tunnel 0"

This is an ASA, not IOS router.

Zartanasaurus

Assuming the tunnel endpoint and internet access on ASA-HQ are the same interface, you'd essentially need something like this at a high level.

ASA-BRANCH VPN = from BRANCH_SUBNETS to ANY
ASA-HQ VPN = from ANY to BRANCH_SUBNETS

ASA-BRANCH route outside 0.0.0.0 0.0.0.0 next hop
ASA-HQ same-security-traffic intra-interface

sizeon

eten wrote: »

The subnets are defined by your crypto ACL. If your destination IP at your branch location is "any", then it should encrypt all traffic towards your HQ.

Did you remove the NAT statements at your branch ASA?

Post your configs or enable some logging so you can see what is happening.

I tried that and it broke my vpn tunnel.