[c-nsp] tunnel internet traffic via a VPN?

Peter Krupl peter.krupl at ventelo.dk
Tue Jul 3 09:37:10 EDT 2007 

Hi,

This is propably caused by the fact that you can't have the traffic 
entering and leaving the hub pix on the same interface.

Unless you use pix/asa 7.0 or newer software.

The following URL explains the necessary steps:
http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml#ra-sol-2


Med venlig hilsen/Kind regards
Peter Åris Krüpl

-----Oprindelig meddelelse-----
Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] På vegne af Scott Lambert
Sendt: 3. juli 2007 01:15
Til: cisco-nsp at puck.nether.net
Emne: [c-nsp] tunnel internet traffic via a VPN?

I have a customer who has several PIX 506Es, connected to DSL and cable
connections in various towns.  They have working VPNs for the LAN
traffic between the towns via VPN tunnels across the Internet.

The customer now wants to backhaul all Internet traffic from the various
LANs through the central location so that they can do centralized access
control and IPS.

Thinking this would be easy, I set out to add routes and adjust access
lists for the PIXes at the hub and one of the branches.  

I didn't want to risk breaking their Internet access in general since
they are sort of a 24x7 operation.  So, I tried to test with just one
/24 of the Internet.

At the branch, I adjusted the access-list for the VPN to the hub site to
permit one /24 on the Internet to test the config.  I adjusted the nonat
access-list to include traffic from the local LAN to the /24.

 access-list nonat permit ip 172.31.29.0 255.255.255.128 172.31.30.0 255.255.255.0 
+access-list nonat permit ip 172.31.29.0 255.255.255.128 216.61.218.0 255.255.255.0 
 ...
 access-list ToHub permit ip 172.31.29.0 255.255.255.128 172.31.30.0 255.255.255.128 
+access-list ToHub permit ip 172.31.29.0 255.255.255.128 216.61.218.0 255.255.255.0 
 ...
 nat (inside) 0 access-list nonat
 nat (inside) 1 172.31.29.0 255.255.255.128 0 0
 ...
 crypto map out_if 11 ipsec-isakmp
 crypto map out_if 11 match address ToHub
 crypto map out_if 11 set peer h.h.h.h
 crypto map out_if 11 set transform-set STRONG

At the hub, I adjusted the access-list for the VPN to the branch site to
permit traffic from the /24 to the branch's LAN.  I removed the branch's
LAN from the nonat access-list.  I added the branch's LAN to the nat
statements as line 2 just like the statement for the hub's LAN.

i.e:

 access-list nonat permit ip 172.31.30.0 255.255.255.128 172.31.29.0 255.255.255.0 
+access-list nonat permit ip 216.61.218.2 255.255.255.0 172.31.29.0 255.255.255.0 
 ...
 access-list ToBranch permit ip 172.31.30.0 255.255.255.128 172.31.29.0 255.255.255.128 
+access-list ToBranch permit ip 216.61.218.2 255.255.255.0 172.31.29.0 255.255.255.128 
 ...
 nat (inside) 0 access-list nonat
 nat (inside) 1 172.31.30.0 255.255.255.128 0 0
+nat (inside) 2 172.31.29.0 255.255.255.128 0 0
 ...
 crypto map out_if 11 ipsec-isakmp
 crypto map out_if 11 match address ToBranch
 crypto map out_if 11 set peer b.b.b.b
 crypto map out_if 11 set transform-set STRONG

The access-lists are much longer than I have included here.  Each branch
has a VPN to every other branch and the hub.

Somewhere along the way I tried adding a static route to the branch's PIX:
route inside 216.61.218.0 255.255.255.0 172.31.30.74 1

I don't think the route statement should be necessary.  If I'm right the
VPN's access-list will setup the route when the VPN is up.

I could never reach 216.61.218.0/24 from the branch with the changes
in place.  Without them, it would NAT out the branch pix and work just
fine.  I spent 4 hours trying variations of the above without success.

Could someone tell me what boneheaded mistake I was making?  It can't be
this hard.

I haven't been able to find any examples of this type of configuration
because the search terms, (Cisco PIX tunnel Internet via VPN) and
various other combinations with and without grouping phrases, pull up so
much noise about VPNs across the Internet.

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at lambertfam.org

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list