site to site vpn remote site using head end internet

fightclub34fightclub34 Member Posts: 41 ■■□□□□□□□□
I have a question about a hub and spoke site to site vpn setup. If we want to have all internet go through our hub site for filtering purposes is this possible. We would be using asa's at both sites to create the vpn connection. At the remote site we will have a default route to our isp i am thinking this will not allow us to send all traffic to head end. the one idea i have is a proxy server and point devices to that.

Any ideas welcome


  • mikearamamikearama Member Posts: 749
    I think that would work fine... as long as you make the spoke site the new hub. You're describing the actions of a hub. So set up the head-end vpn at the remote site and create acl's everywhere pointing to the tunnel for unknown destinations. This'll turn your head office into a spoke, but hey, it'll do the job.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    From the questions I'm guessing you are not using an internet proxy configured on the clients.

    The default routing on the spoke/remote is not a problem, presuming your VPN tunnel is terminating on that interface (and it's not a separate private circuit), it is the encryption ACL that will define what is ultimately packed up and routed to your Hub site. E.g. In this case you will likely want to encrypt everything so you can simply set your VPN and NAT/NO-NAT ACLs to LOCAL-SUBNETS IP->ANY .

    So getting to the hub is not a problem, but depending on your filtering solution you may run right into another. If you're using something like Websense and the ASA's integration with it, a configured proxy or your filter is positioned on the internet side and in the outbound path between the ASA and the net then you should still be okay. But if you are using an appliance that requires the traffic to pass through it on the inside then you will have issues. You can't policy route on the ASA so you have no way to pass the traffic back to your filter, then let it route back through the ASA for Internet access. As soon as it hits your Hub ASA it will hairpin back out to the internet as the default routing on the hub takes effect. One way to get around this is a separate VPN ASA that uses explicit routes to the spokes, and has a default towards your primary ASA).

    In any case if you are using something like this and you will have your filter inline somehow you will need to set "same-security-traffic permit intra-interface" to allow the hairpinning and add the remote site's private subnet to your NAT/Global pairing covering internet access - just set your nat for the OUTSIDE also with the same id as your current global (or use a different global, up to you).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.