In some circumstances organisations require routing internet traffic from remote branch sites over an IPSec VPN back to the Data Centre and then access the internet from the Data Centre rather than directly access the internet from the remote site.
This post covers the configuration of a Cisco ASA VPN to allow routing internet traffic from a branch site over the VPN and assumes there is already a functioning Policy Based (crypto map) VPN between 2 Cisco ASA Firewalls.
Configuration
In this scenario there are 2 sites, the DATACENTRE (1.1.1.1) and BRANCH (2.2.2.1), all traffic including internet traffic from the local BRANCH networks (10.20.0.0/22) will be routed over the VPN tunnel to DATACENTRE.
Network Objects
Network objects are required to be referenced within the NAT and crypto ACL rules.
object network DATACENTRE
subnet 10.10.0.0 255.255.252.0
!
object network BRANCH
subnet 10.20.0.0 255.255.252.0
Crypto ACL
To route all internet traffic over the VPN the crypto ACL must be amended accordingly.
The Crypto ACL on the Data Centre ASA should be configured with the source network as “any” or “any4” and the destination as the BRANCH object.
DATACENTRE(config)# access-list VPN extended permit ip any4 object BRANCH
The crypto ACL on the Branch ASA should be configured with the source as the object that reflects the local network (in this instance BRANCH)) and the destination as “any” or “any4”
BRANCH(config)# access-list VPN extended permit ip object BRANCH any4
NAT
From the DATACENTRE ASA, the remote branch site requires a NAT rule. Note the source and destination interface will be the OUTSIDE interface and will be translated behind the public IP address “1.1.1.4”.
DATACENTRE(config)# object network BRANCH
DATACENTRE(config-network-object)# nat (OUTSIDE,OUTSIDE) dynamic 1.1.1.4
On the DATACENTRE ASA, a NAT exemption rule between the DATACENTRE and BRANCH networks is required, this is required so traffic will be not unintentionally translated when routed over the VPN.
DATACENTRE(config)# nat (INSIDE,OUTSIDE) source static DATACENTRE DATACENTRE destination static BRANCH BRANCH
A mirror NAT exemption rule is required on the BRANCH ASA, with the source and destinations objects reversed.
BRANCH(config)# nat (INSIDE,OUTSIDE) source static BRANCH BRANCH destination static DATACENTRE DATACENTRE
Hairpinning
To allow the ASA to route traffic back out the same interface the traffic came in out (aka hairpinning) the command same-security-traffic permit intra-interface must be configured on the DATACENTRE ASA.
DATACENTRE(config)# same-security-traffic permit intra-interface
Routing
With “any” traffic routed over the VPN this causes a problem when attempting to establish the VPN tunnel, during testing the following SYSLOG message was generated and the VPN failed to establish.
%ASA-6-110003: Routing failed to locate next hop for UDP from identity:2.2.2.1/500 to OUTSIDE:1.1.1.1/500
To resolve this, create a /32 static route (in addition to the default route) on the Data Centre ASA to the remote peer public IP address.
DATACENTRE(config)# route OUTSIDE 2.2.2.1 255.255.255.255 1.1.1.254
Repeat the same on the remote branch ASA, create a /32 static route to the Data Centre peer public IP address.
BRANCH(config)# route OUTSIDE 1.1.1.1 255.255.255.255 2.2.2.254
Testing/Verification
From a device behind the BRANCH ASA will generate traffic to a public IP address, this traffic will be routed to the BRANCH ASA which will establish a VPN tunnel to the DATACENTRE ASA. Subsequent traffic will be routed over this VPN tunnel and access the internet from the DATACENTRE.
From the BRANCH ASA run show crypto ipsec sa to confirm the IPSec SA have established correctly, the remote ident will be 0.0.0.0/0.0.0.0. Check the pkts encaps|decaps counters have increased.
BRANCH# show crypto ipsec sa interface: OUTSIDE Crypto map tag: CMAP, seq num: 1, local addr: 2.2.2.1 access-list VPN extended permit ip 10.20.0.0 255.255.252.0 any local ident (addr/mask/prot/port): (10.20.0.0/255.255.252.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 1.1.1.1 #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14 #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
From the DATACENTRE ASA run show crypto ipsec sa and confirm the encaps|decaps counters have increased in parallel with the traffic received from the BRANCH.
DATACENTRE# show crypto ipsec sa interface: OUTSIDE Crypto map tag: CMAP, seq num: 1, local addr: 1.1.1.1 access-list VPN extended permit ip any4 10.20.0.0 255.255.252.0 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.20.0.0/255.255.252.0/0/0) current_peer: 2.2.2.1 #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14 #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
From the DATACENTRE ASA run show nat detail to confirm the BRANCH traffic was translated.
DATACENTRE(config)# show nat detail Manual NAT Policies (Section 1) 1 (INSIDE) to (OUTSIDE) source static DATACENTRE DATACENTRE destination static BRANCH BRANCH translate_hits = 0, untranslate_hits = 0 Source - Origin: 10.10.0.0/22, Translated: 10.10.0.0/22 Destination - Origin: 10.20.0.0/22, Translated: 10.20.0.0/22 Auto NAT Policies (Section 2) 1 (OUTSIDE) to (OUTSIDE) source dynamic BRANCH 1.1.1.4 translate_hits = 23, untranslate_hits = 8 Source - Origin: 10.20.0.0/22, Translated: 1.1.1.4/32
integrating IT 
This is a good article!
Configuring a Cisco ASA VPN to route internet traffic from a branch site over the VPN to the Data Centre is explained in this post. The configuration assumes that there is already a functioning Policy Based VPN between two Cisco ASA Firewalls. The post covers the configuration steps, including setting up network objects, configuring crypto ACLs, NAT rules, hairpinning, and routing. It also provides instructions for testing and verification of the VPN setup.
Wayne
LikeLiked by 1 person