Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pass traffic from ASA throught its own VPN tunnel

Status
Not open for further replies.
SaracenCL

SaracenCL

Technical User
Jan 21, 2010
6
GB
I have two sites with asa firewalls (ASA5520) at each site with a site to site VPN.

I need to allow traffic initiated from the firewall to travel through the vpn to the second site to a server behind the firewall. I would like to know if the ASA supports this as I have not been able to make it work.

Any comments or feedback welcome.

Thanks.
 
Sort by date Sort by votes
you want traffic to traverse your site to site vpn tunnel?
 
Upvote 0 Downvote
Yes.

The reason is that I have enabled netflow on both firewalls. The Netflow Collector is in site A (so no problem there). The firewall in Site B needs to send its netflow data. Ideally if it can send it via the site to site VPN it will be secure.
 
Upvote 0 Downvote
so is there some traffic from B that does NOT go through the tunnel and some traffic does go through the tunnel? you can create an policy based route
 
Upvote 0 Downvote
Site B has a site to site VPN with site A. So some traffic will go via the VPN to site A. However some traffic will go out of Site B Firewall as normal.

My real question is whether I should be able to configure the Site B firewall to allow traffic to traverse its own VPN tunnel. If so, how?


 
 https://docs.google.com/present/edit?id=0Aeu9SG2Cng8hZG5tOGY2Zl81NzBjNXM1cDd2Ng&hl=en_GB
Upvote 0 Downvote
We're sorry, but jas@gmail.com does not have access to this document.
 
Upvote 0 Downvote
I have had a look at the document on PBR. Thanks. Did you get a chance to look at my diagram? At present FW B cannot talk to network B. Therefore, I dont understand how PBR can help at this stage?

I have looked at the logs and the FW itself is dropping packets for the destination... but only the packets taht are generated by the firewall.
 
Upvote 0 Downvote
on fwB do you have the correct local addresses? can you post both scrubbed configs?
 
Upvote 0 Downvote
PBR does not work on ASA's.

If you put a PBJ on it and run a lot of inspections it will heat it up nicely though.

What you want is similar to this setup -

The trick is the interesting traffic ACL uses the outside IP of the ASA.

Hope this helps.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
580
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
158
WhosYourDiffie
WhosYourDiffie
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
438
gkreg
gkreg
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
624
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
314
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top