This application is often called "Central Traffic Policing VPN." This is when remote sites are required to send their Internet traffic through a central site before accessing the Internet. Review the Configuring a VPN Using Main Mode in AOS guide for reference on how to setup a VPN. However, with this application, the setup is the same as a standard VPN, except the VPN Selectors are different. The VPN selectors need to reflect the destination as "any" because it is going to be routed to the public Internet, and the true destination address is unknown. Here is an example configuration of this portion of the VPN (the remote site's LAN subnet is 10.1.1.0 /24):
Central Site Configuration:
ip access-list extended VPN-TO-REMOTE
permit ip any 10.1.1.0 0.0.0.255
!
ip policy-class Private
allow list VPN-TO-REMOTE stateless
!
ip policy-class Public
allow reverse list VPN-TO-REMOTE stateless
Remote Site Configuration:
ip access-list extended VPN-TO-MAIN
permit ip 10.1.1.0 0.0.0.255 any
!
ip policy-class Private
allow list VPN-TO-MAIN stateless
!
ip policy-class Public
allow reverse list VPN-TO-MAIN stateless
I hope that makes sense, but please do not hesitate to reply to this post with any additional questions. I will be happy to help in any way I can.
Levi
Thank you for asking this question in the support community. Is there any additional information you can provide? From the input you provided I think the setup is as follows:
Site A ---- VPN ---- Site B ---- Internet
You want Site A to send all Internet traffic over the VPN to Site B's Internet connection? Please, let me know if this is correct, and I will be happy to provide some suggestions for you.
Levi
Yes Levi this is what I would like to accomplish
This application is often called "Central Traffic Policing VPN." This is when remote sites are required to send their Internet traffic through a central site before accessing the Internet. Review the Configuring a VPN Using Main Mode in AOS guide for reference on how to setup a VPN. However, with this application, the setup is the same as a standard VPN, except the VPN Selectors are different. The VPN selectors need to reflect the destination as "any" because it is going to be routed to the public Internet, and the true destination address is unknown. Here is an example configuration of this portion of the VPN (the remote site's LAN subnet is 10.1.1.0 /24):
Central Site Configuration:
ip access-list extended VPN-TO-REMOTE
permit ip any 10.1.1.0 0.0.0.255
!
ip policy-class Private
allow list VPN-TO-REMOTE stateless
!
ip policy-class Public
allow reverse list VPN-TO-REMOTE stateless
Remote Site Configuration:
ip access-list extended VPN-TO-MAIN
permit ip 10.1.1.0 0.0.0.255 any
!
ip policy-class Private
allow list VPN-TO-MAIN stateless
!
ip policy-class Public
allow reverse list VPN-TO-MAIN stateless
I hope that makes sense, but please do not hesitate to reply to this post with any additional questions. I will be happy to help in any way I can.
Levi
I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.
Levi
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor