2

I have a situation with two locations connected via site-to-site VPN. Site A has a web filtering appliance. I'd like to route all traffic from Site B over the VPN tunnel and out of Site A's internet connection (and web filter). The firewall devices in use are Cisco ASA 5505. The site-to-site VPN is already established.

What do I need to modify in order to accomplish the above?

ewwhite
  • 197,159
  • 92
  • 443
  • 809

2 Answers2

2

Assuming your proxy server at site A is p.p.p.p, and the local subnet at site b is b.b.b.0/24

You'll need to configure the local encryption domain at site A to contain your proxy server, and the remote encryption domain at site B to contain your proxy server. You might also need to alter your firewall access lists to permit the traffic through too, depending on your configuration.

so on the site A ASA

access-list site-A-site-B_vpn permit ip host p.p.p.p b.b.b.0 255.255.255.0
access-list outside_access_in permit ip b.b.b.0 255.255.255.0 host p.p.p.p

and on the site B ASA

access-list site-B-site-A_vpn permit ip b.b.b.0 255.255.255.0 host p.p.p.p
access-list inside_access_in permit ip b.b.b.0 255.255.255.0 host p.p.p.p

If you're not using an explicitly defined proxy you are going to run into a little difficulty because you will effectively have to tunnel 0.0.0.0/0 through your vpn, and GRE over IPSEC might be a better option...

paulos
  • 1,694
  • 10
  • 12
1

Alter the ACLs controlling your tunnel policy to permit the traffic:

Site A:

access-list outside_cryptomap_A extended permit ip any object-group site_b_hosts
no access-list outside_cryptomap_A extended permit ip object-group site_a_hosts object-group site_b_hosts

Site B:

access-list outside_cryptomap_B extended permit ip object-group site_b_hosts any
no access-list outside_cryptomap_B extended permit ip object-group site_b_hosts object-group site_a_hosts

Traffic coming through this tunnel will be coming in the outside interface, getting decrypted, and going right back out the outside interface (I hope this works for your web filter!), so you'll need to account for that, too:

(config disclaimer: this is 8.2 config, adjust accordingly)

same-security-traffic permit intra-interface
nat (outside) 1 10.X.X.0 255.255.255.0

With this in place, all traffic will catch the encryption policy and the tunnel will build with local/remote networks of 0.0.0.0/0.

testasa# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 100, local addr: X.X.X.X

      access-list outside_cryptomap_A permit ip any object-group site_b_hosts
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.X.X.0/255.255.255.0/0/0)
      current_peer: test-endpoint-public

      #pkts encaps: 719, #pkts encrypt: 719, #pkts digest: 719
      #pkts decaps: 626, #pkts decrypt: 626, #pkts verify: 626
Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • I'm trying to figure out how to achieve the `nat (outside) 1 10.X.X.0 255.255.255.0` in the ASA 8.3 format. – ewwhite Oct 13 '11 at 07:38
  • [This page](https://supportforums.cisco.com/docs/DOC-12690) is pretty much my entire frame of reference on 8.3 config, I'm a bit behind the times on that - should be along the lines of `object network site-b-net`, `subnet 10.x.x.0 255.255.255.0`, `nat (outside,outside) dynamic interface`. – Shane Madden Oct 13 '11 at 14:56