cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
chrisw
New Contributor

Route traffic to certain address through VPN

Jump to solution

Hello,


I have a Netvanta 3448 at the main office with several 3120's connected by VPN at branch locations.  There's certain customers that we connect to on the Internet that have whitelisted our public IP's at our headquarters office but not the public IP's at the branch offices.  From the branch office I'd like to route all traffic to these customers through the VPN tunnel and out the wan connection at headquarters.  But I'm having trouble creating a route to do this with a VPN as the gateway.  I suspect that I need to use policy based routes instead but I can't figure out how that out either.

Any pointers to get me in the right direction?

Thanks,

Chris

Labels (2)
Tags (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Route traffic to certain address through VPN

Jump to solution

Chris,

The commands you entered appear correct. However, I think you will also need to add the "no ip policy-class Public-2 rpf-check" command at the main router. This can be done in config mode.

A good way to try and determine what is happening to the traffic is to issue the "show ip policy-session" command. You should view the Private policy-class at the branch office and the Public-2 policy-class to see if traffic is being passed and NATted the way you want.

Let us know if you have any questions.

Thanks,

Noor

View solution in original post

0 Kudos
5 Replies
Anonymous
Not applicable

Re: Route traffic to certain address through VPN

Jump to solution

Chris,

Thanks for posting your question on the forum!

Traffic that goes over a VPN tunnel is determined by the traffic specified in the traffic selectors for that particular VPN, also known as VPN selectors. There is no need to add any additional routes or configure policy-based routing. The VPN tunnel uses the branch office's internet connection so it will use the default route. However, we can choose which traffic goes over the VPN tunnel by specifying it in the VPN selectors.

Configuration modifications will need to be made on the branch router as well as the main router for this application to work. The instructions below will use an example where the branch office has a LAN of 192.168.10.0 /24 and HQ has a LAN of 10.10.10.0 /24.  The HQ's WAN IP is 1.1.1.1 . You have a customer that has an IP address of 2.2.2.2. You would like to route traffic coming from the branch office destined for your customer at 2.2.2.2 across the VPN tunnel to HQ and then routed out HQ's internet connection.

Branch Office

The branch office will need its VPN selectors defined as the following:

     ip access-list ext BranchVPN

          permit ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255     <- For branch to HQ traffic

          permit ip 192.168.10.0 0.0.0.255 host 2.2.2.2                   <- For branch to customer traffic

HQ

HQ will need its VPN selectors defined as the following:

     ip access-list ext HQVPN

          permit ip 10.10.10.0 0.0.0.255 192.168.10.0.0.0.0.255     <- For HQ to branch traffic

          permit ip host 2.2.2.2 192.168.10.0 0.0.0.255                    <- For customer to branch traffic

You will also need to configure an additional ACL and make an additional change in HQ's public policy-class/security zone:

ip access-list extended Branch2Customer   

     permit ip 192.168.10.0 0.0.0.255 host 2.2.2.2

ip policy-class Public

   nat source list Branch2Customer address 1.1.1.1 overload   <- This will NAT Branch to customer traffic to go out HQ internet connection

   allow reverse list HQVPN stateless

You will also need to disable RPF check for the Public policy-class. This can be done with the following command:

no ip policy-class Public rpf-check

Please do not hesitate to let me know if you have any questions.

Thanks,

Noor

chrisw
New Contributor

Re: Route traffic to certain address through VPN

Jump to solution

Hi Noor,

Thanks for the info. This all makes sense so I gave this a try but no luck.  This is the relevant portions of my config.  The lines in red are the lines that I added.  I replaced the public IP's with 1.1.1.1 and 2.2.2.2 for posting to the forum.

Am I missing something?

Thanks,

Chris

 

Branch Office router

    

ip access-list extended VPN-10-vpn-selectors

    permit ip 10.10.20.0 0.0.0.255  10.10.0.0 0.0.255.255   

    permit ip 10.10.20.0 0.0.0.255  host 2.2.2.2   

      

HQ Router

ip access-list extended VPN-70-vpn-selectors1

    permit ip 10.10.0.0 0.0.255.255  10.10.20.0 0.0.0.255   

    permit ip host 2.2.2.2 10.10.20.0 0.0.0.255   

ip access-list extended RemoteSitesStaticRoutes

   permit ip 10.10.20.0 0.0.0.255 host 2.2.2.2  

ip policy-class Public-2

   nat source list RemoteSitesStaticRoutes address 1.1.1.1 overload

  nat destination list OUTSIDE-Numonyx pool POOL-Numonyx

  allow list ADTRAN

  allow list
  web-acl-19 self

  nat destination list web-acl-20-Comcast address 10.10.2.32

  nat destination list web-acl-28-Comcast address 10.10.1.32

  nat destination list web-acl-30-Comcast address 10.10.2.41

  nat destination list web-acl-32-Comcast address 10.10.8.35

  nat destination list web-acl-66-Comcast address 10.10.1.36

  nat destination list web-acl-108 address 10.10.3.36 port 80

  nat destination list web-acl-110 address 10.10.3.36

  nat destination list web-acl-111 address 10.10.1.44

  nat destination list web-acl-103 address 10.10.1.36

  allow list web-acl-118 self

Anonymous
Not applicable

Re: Route traffic to certain address through VPN

Jump to solution

Chris,

The commands you entered appear correct. However, I think you will also need to add the "no ip policy-class Public-2 rpf-check" command at the main router. This can be done in config mode.

A good way to try and determine what is happening to the traffic is to issue the "show ip policy-session" command. You should view the Private policy-class at the branch office and the Public-2 policy-class to see if traffic is being passed and NATted the way you want.

Let us know if you have any questions.

Thanks,

Noor

0 Kudos
Anonymous
Not applicable

Re: Route traffic to certain address through VPN

Jump to solution

Chris- I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

Thanks,

Noor

chrisw
New Contributor

Re: Route traffic to certain address through VPN

Jump to solution

Noor,


Thank you very much, this worked great!  Very useful.

Chris