I have a VPN tunnel with two adtran device.
Site A is the main office and site B the branch.
I am trying to route all traffic fromnneln Site B to Site A, so that nothing in Site B goes to the internet without going through Site A
How can I do this ?
- Thanks for posting your question on the forum! You opened up a ticket with Adtran Tech Support, and below I am adding what ended up being the solution to this setup:
You may find the following post is closer to what you are trying to set up: Re: using a VPN as a gateway
However, the Central site configuration will differ slightly from the post if the Central site's VPN router also acts as the Central site's internet router:
ip access-list extended VPN-SELECTORS
permit ip any <REMOTE LAN SUBNET>
** NOTE: The ACL VPN-SELECTORS will need to be the ACL that the crypto map references. The ACLs below are needed for the firewall to handle the traffic correctly.
ip access-list extended VPN-TO-REMOTE
permit ip <LOCAL LAN SUBNET> <REMOTE LAN SUBNET>
!
ip access-list extended VPN-FROM-REMOTE
permit ip <REMOTE LAN SUBNET> <LOCAL LAN SUBNET>
!
ip access-list extended VPN-REMOTE-INTERNET
permit ip <REMOTE LAN SUBNET> any
!
ip policy-class PRIVATE
allow list VPN-TO-REMOTE stateless
!
no ip policy-class PUBLIC rpf-check
ip policy-class PUBLIC
allow list VPN-FROM-REMOTE stateless
nat source list VPN-REMOTE-INTERNET address <WAN IP address>
Please do not hesitate to let us know if you have any further questions or issues.
Thanks,
Noor
- Thanks for posting your question on the forum! You opened up a ticket with Adtran Tech Support, and below I am adding what ended up being the solution to this setup:
You may find the following post is closer to what you are trying to set up: Re: using a VPN as a gateway
However, the Central site configuration will differ slightly from the post if the Central site's VPN router also acts as the Central site's internet router:
ip access-list extended VPN-SELECTORS
permit ip any <REMOTE LAN SUBNET>
** NOTE: The ACL VPN-SELECTORS will need to be the ACL that the crypto map references. The ACLs below are needed for the firewall to handle the traffic correctly.
ip access-list extended VPN-TO-REMOTE
permit ip <LOCAL LAN SUBNET> <REMOTE LAN SUBNET>
!
ip access-list extended VPN-FROM-REMOTE
permit ip <REMOTE LAN SUBNET> <LOCAL LAN SUBNET>
!
ip access-list extended VPN-REMOTE-INTERNET
permit ip <REMOTE LAN SUBNET> any
!
ip policy-class PRIVATE
allow list VPN-TO-REMOTE stateless
!
no ip policy-class PUBLIC rpf-check
ip policy-class PUBLIC
allow list VPN-FROM-REMOTE stateless
nat source list VPN-REMOTE-INTERNET address <WAN IP address>
Please do not hesitate to let us know if you have any further questions or issues.
Thanks,
Noor
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor
That looks genius. I'll give it a go when I get a chance to set up my bench router.
Thanks