5 Replies Latest reply on Jun 11, 2012 1:31 PM by chrisw

    Route traffic to certain address through VPN

    chrisw New Member

      Hello,


      I have a Netvanta 3448 at the main office with several 3120's connected by VPN at branch locations.  There's certain customers that we connect to on the Internet that have whitelisted our public IP's at our headquarters office but not the public IP's at the branch offices.  From the branch office I'd like to route all traffic to these customers through the VPN tunnel and out the wan connection at headquarters.  But I'm having trouble creating a route to do this with a VPN as the gateway.  I suspect that I need to use policy based routes instead but I can't figure out how that out either.

       

      Any pointers to get me in the right direction?

       

      Thanks,

       

      Chris

        • Re: Route traffic to certain address through VPN
          Employee

          Chris,

           

          Thanks for posting your question on the forum!

           

          Traffic that goes over a VPN tunnel is determined by the traffic specified in the traffic selectors for that particular VPN, also known as VPN selectors. There is no need to add any additional routes or configure policy-based routing. The VPN tunnel uses the branch office's internet connection so it will use the default route. However, we can choose which traffic goes over the VPN tunnel by specifying it in the VPN selectors.

           

          Configuration modifications will need to be made on the branch router as well as the main router for this application to work. The instructions below will use an example where the branch office has a LAN of 192.168.10.0 /24 and HQ has a LAN of 10.10.10.0 /24.  The HQ's WAN IP is 1.1.1.1 . You have a customer that has an IP address of 2.2.2.2. You would like to route traffic coming from the branch office destined for your customer at 2.2.2.2 across the VPN tunnel to HQ and then routed out HQ's internet connection.

           

          Branch Office

          The branch office will need its VPN selectors defined as the following:

               ip access-list ext BranchVPN

                    permit ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255     <- For branch to HQ traffic

                    permit ip 192.168.10.0 0.0.0.255 host 2.2.2.2                   <- For branch to customer traffic

           

          HQ

          HQ will need its VPN selectors defined as the following:

               ip access-list ext HQVPN

                    permit ip 10.10.10.0 0.0.0.255 192.168.10.0.0.0.0.255     <- For HQ to branch traffic

                    permit ip host 2.2.2.2 192.168.10.0 0.0.0.255                    <- For customer to branch traffic

           

          You will also need to configure an additional ACL and make an additional change in HQ's public policy-class/security zone:

           

          ip access-list extended Branch2Customer   

               permit ip 192.168.10.0 0.0.0.255 host 2.2.2.2

           

          ip policy-class Public

             nat source list Branch2Customer address 1.1.1.1 overload   <- This will NAT Branch to customer traffic to go out HQ internet connection

             allow reverse list HQVPN stateless

           

          You will also need to disable RPF check for the Public policy-class. This can be done with the following command:

          no ip policy-class Public rpf-check

          Please do not hesitate to let me know if you have any questions.

           

          Thanks,

          Noor

            • Re: Route traffic to certain address through VPN
              chrisw New Member

              Hi Noor,

               

              Thanks for the info. This all makes sense so I gave this a try but no luck.  This is the relevant portions of my config.  The lines in red are the lines that I added.  I replaced the public IP's with 1.1.1.1 and 2.2.2.2 for posting to the forum.

               

              Am I missing something?

               

              Thanks,

               

              Chris

               

              Branch Office router

                  

              ip access-list extended VPN-10-vpn-selectors

                  permit ip 10.10.20.0 0.0.0.255  10.10.0.0 0.0.255.255   

                  permit ip 10.10.20.0 0.0.0.255  host 2.2.2.2   

               

                    

              HQ Router

               

              ip access-list extended VPN-70-vpn-selectors1

                  permit ip 10.10.0.0 0.0.255.255  10.10.20.0 0.0.0.255   

                  permit ip host 2.2.2.2 10.10.20.0 0.0.0.255   

               

              ip access-list extended RemoteSitesStaticRoutes

                 permit ip 10.10.20.0 0.0.0.255 host 2.2.2.2  

               

              ip policy-class Public-2

                 nat source list RemoteSitesStaticRoutes address 1.1.1.1 overload

                nat destination list OUTSIDE-Numonyx pool POOL-Numonyx

                allow list ADTRAN

                allow list
                web-acl-19 self

                nat destination list web-acl-20-Comcast address 10.10.2.32

                nat destination list web-acl-28-Comcast address 10.10.1.32

                nat destination list web-acl-30-Comcast address 10.10.2.41

                nat destination list web-acl-32-Comcast address 10.10.8.35

                nat destination list web-acl-66-Comcast address 10.10.1.36

                nat destination list web-acl-108 address 10.10.3.36 port 80

                nat destination list web-acl-110 address 10.10.3.36

                nat destination list web-acl-111 address 10.10.1.44

                nat destination list web-acl-103 address 10.10.1.36

                allow list web-acl-118 self

                • Re: Route traffic to certain address through VPN
                  Employee

                  Chris,

                   

                  The commands you entered appear correct. However, I think you will also need to add the "no ip policy-class Public-2 rpf-check" command at the main router. This can be done in config mode.

                   

                  A good way to try and determine what is happening to the traffic is to issue the "show ip policy-session" command. You should view the Private policy-class at the branch office and the Public-2 policy-class to see if traffic is being passed and NATted the way you want.

                   

                  Let us know if you have any questions.

                   

                  Thanks,

                  Noor