cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
fnbisson
New Contributor

Force Internet through VPN tunnel (No split tunnel)

Jump to solution

I have a VPN tunnel with two adtran device.

Site A is the main office and site B the branch.

I am trying to route all traffic fromnneln Site B to Site A, so that nothing in Site B goes to the internet without going through Site A

How can I do this ?

Labels (4)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Force Internet through VPN tunnel (No split tunnel)

Jump to solution

- Thanks for posting your question on the forum! You opened up a ticket with Adtran Tech Support, and below I am adding what ended up being the solution to this setup:

You may find the following post is closer to what you are trying to set up: Re: using a VPN as a gateway

However, the Central site configuration will differ slightly from the post if the Central site's VPN router also acts as the Central site's internet router:

ip access-list extended VPN-SELECTORS

  permit ip any <REMOTE LAN SUBNET>


** NOTE: The ACL VPN-SELECTORS will need to be the ACL that the crypto map references. The ACLs below are needed for the firewall to handle the traffic correctly.

ip access-list extended VPN-TO-REMOTE

  permit ip <LOCAL LAN SUBNET> <REMOTE LAN SUBNET>

!

ip access-list extended VPN-FROM-REMOTE

  permit ip <REMOTE LAN SUBNET> <LOCAL LAN SUBNET>

!

ip access-list extended VPN-REMOTE-INTERNET

  permit ip <REMOTE LAN SUBNET> any

!

ip policy-class PRIVATE

  allow list VPN-TO-REMOTE stateless

!

no ip policy-class PUBLIC rpf-check

ip policy-class PUBLIC

  allow list VPN-FROM-REMOTE stateless

  nat source list VPN-REMOTE-INTERNET address <WAN IP address>

Please do not hesitate to let us know if you have any further questions or issues.

Thanks,

Noor

View solution in original post

3 Replies
Anonymous
Not applicable

Re: Force Internet through VPN tunnel (No split tunnel)

Jump to solution

- Thanks for posting your question on the forum! You opened up a ticket with Adtran Tech Support, and below I am adding what ended up being the solution to this setup:

You may find the following post is closer to what you are trying to set up: Re: using a VPN as a gateway

However, the Central site configuration will differ slightly from the post if the Central site's VPN router also acts as the Central site's internet router:

ip access-list extended VPN-SELECTORS

  permit ip any <REMOTE LAN SUBNET>


** NOTE: The ACL VPN-SELECTORS will need to be the ACL that the crypto map references. The ACLs below are needed for the firewall to handle the traffic correctly.

ip access-list extended VPN-TO-REMOTE

  permit ip <LOCAL LAN SUBNET> <REMOTE LAN SUBNET>

!

ip access-list extended VPN-FROM-REMOTE

  permit ip <REMOTE LAN SUBNET> <LOCAL LAN SUBNET>

!

ip access-list extended VPN-REMOTE-INTERNET

  permit ip <REMOTE LAN SUBNET> any

!

ip policy-class PRIVATE

  allow list VPN-TO-REMOTE stateless

!

no ip policy-class PUBLIC rpf-check

ip policy-class PUBLIC

  allow list VPN-FROM-REMOTE stateless

  nat source list VPN-REMOTE-INTERNET address <WAN IP address>

Please do not hesitate to let us know if you have any further questions or issues.

Thanks,

Noor

Anonymous
Not applicable

Re: Force Internet through VPN tunnel (No split tunnel)

Jump to solution

-

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.


Thanks,

Noor

Anonymous
Not applicable

Re: Force Internet through VPN tunnel (No split tunnel)

Jump to solution

That looks genius.  I'll give it a go when I get a chance to set up my bench router.

Thanks