Routing IPsec traffic through main internet connection

Started by zackburf, December 11, 2017, 08:40:47 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

zackburf

December 11, 2017, 08:40:47 AM
Good morning. We have a Juniper firewall provided by our ISP and then we also have a Cisco ASA that runs beside it on its on public IP that we are wanting to move the IPSec connections over too.  My issue is that when I set up the Ipsec tunnel access to the LAN works fine but anyone connecting through the tunnel has issues connecting to the internet.  Is there a way to Tunnel users in through the Cisco ASA and then have them use our Juniper wirewall for all internet traffic?

deanwebb

#1
December 11, 2017, 08:56:00 AM
Split tunneling will do that, but that's also a huge security risk.

This is where I ask about the "why" behind this arrangement. The Juniper can do IPSec, the ASA can do Internet, so why split out the functions and create this complexity?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

zackburf

#2
December 11, 2017, 09:01:27 AM
We do not manage the Juniper and are wanting to slowly phase everything off of it to our Cisco. We are turning up a new site and want this to be the first one we phase over.

deanwebb

#3
December 11, 2017, 09:20:42 AM
Quote from: zackburf on December 11, 2017, 09:01:27 AM
We do not manage the Juniper and are wanting to slowly phase everything off of it to our Cisco. We are turning up a new site and want this to be the first one we phase over.
So this begs the question, why not just cut everything over or put the ASA inline behind the Juniper, where you can permit tunneling traffic on the Juniper to allow it to pass through the ASA? Sorry if you've already gone over this at work, but I wasn't in that meeting, so I'll need to catch up on things. :)
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#4
December 11, 2017, 05:07:22 PM
This is a routing question. Need to understand your topology and routing design.

Do you want users at remote sites to hairpin through the central site for internet?
If yes then you need to fix your routing. Esp the default route. Typically to avoid default route clashing you'd use a front VRF design.
If no then as Dean says you need to fix your branch routing so the branches use their local internet and not the tunnel for 0.0.0.0.
THe branch FW would then use a specific route to reach the tunnel endpoints but leave the default route out the normal internet.
Print
Go Up Pages1
User actions