Skip to main content
mumbles202
mumbles202
New Member
March 24, 2015
Solved

Hub and Spoke Design w/ Tunnel All

  • March 24, 2015
  • 1 reply
  • 4403 views

I'm working on a new deployment of a 30D (running 5.0.2) that will be a spoke and needs to connect to a Cisco ASA as the hub.  I'm was able to configure the tunnel via the cli and confirm I am able to pass traffic between the locations, but I also need the 30D to send all of it's traffic through the tunnel as the goal is to have all the internet traffic go out through the hub.  In an attempt to get this working I created the tunnel, then modified the destination to be 0.0.0.0/0 and updated the policies I had w/ the same.  But when I do a traceroute it is still going out locally.  The WAN interface is getting it's address via DHCP so it's default route is in the routing table and I didn't see a way to modify it.  

 

Also, on a side note, is there a way to do any kind of port-security or MAC filtering on the LAN ports on that device?  I see how to do it for the wireless side, but didn't see how it would be done on the wired ports.

    Best answer by Jeroen

    Create a policy based route for the traffic that is originating from a specific interface. Route this traffic trough the VPN tunnel interface.

     

    My experience is that using a 0.0.0.0/0 with cisco on the other end is not successful. Because Cisco is using the VPN routing to create it's routing table. This is depending on the model of ASA.

    1 reply

    Jeroen
    JeroenAnswer
    New Member
    March 24, 2015

    Create a policy based route for the traffic that is originating from a specific interface. Route this traffic trough the VPN tunnel interface.

     

    My experience is that using a 0.0.0.0/0 with cisco on the other end is not successful. Because Cisco is using the VPN routing to create it's routing table. This is depending on the model of ASA.

    mumbles202
    mumbles202Author
    New Member
    March 24, 2015

    Thanks.  So something like this:

     

    config firewall address

    edit "local_address" set subnet 172.25.101.0 255.255.255.0 next

    edit "Internet" set subnet 0.0.0.0 0.0.0.0 next

     

    config firewall policy

    edit 4 set srcintf "lan" set dstintf "Remote" set srcaddr "local_address" set dstaddr "Internet" set action accept set schedule "always" set service "ALL" set comments "From LAN to Internet" next edit 5 set srcintf "Remote" set dstintf "lan" set srcaddr "Internet" set dstaddr "local_address" set action accept set schedule "always" set service "ALL" set comments "From Internet to LAN" next

     

    config router policy edit 1 set srcintf "lan"

    set srcaddr "local_address" set dstaddr "Internet" set device "Remote" next end

     

    I'll take a look.  I've done Cisco to Cisco w/o issue (w/ this particular ASA being the hub for a similar setup for another branch) so I think that part should be straight forward.  

    Terms & ConditionsAccessibility statement