Relay traffic out same interface

greggeesaman · ‎02-20-2012

Is it possible to relay traffic out of the same interface? For instance we have a computer on the Internet that only is accessible from our network. I'd like users to connect to our network, look at the ACL, and then connect to the remote computer. So basically I'm going right back out the same interface. VPN->outside interface->Internet. I'd still want split tunneling to be enabled and have this apply to only a specific IP or subnet. Is this possible?

Julio Carvajal · ‎02-20-2012

Hello Greg,

So you are looking for the U-turning traffic feature.

All you need to allow packets to go to an interface and then go back the same interface is the same security permit command.

Regards,

Do rate helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

greggeesaman · ‎02-20-2012

Thanks for the reply.

I issued the same-security-traffic permit intra-interface command on my outside interface and gave the VPN client a static route for the IP telling it send traffic over the VPN, but I'm not able to connect. Is this the correct command and the correct way to issue it?

I found this article on Cisco's site:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

Julio Carvajal · ‎02-20-2012

Hello Greg,

Please provide the following packet tracer

-packet-tracer input outside tcp x.x.x.x (vpn client ip) 1025 4.2.2.2 80

Can you provide the VPN configuration as well ( I want to see the tunnel-group and Group-policy configuration!

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

greggeesaman · ‎02-20-2012

This is the packet tracer result:

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

I can see the traffic comming from the VPN client to the IP, so the route is working. I get a teardown and built message in the log, but nothing saying the traffic is denied.

I think this info should cover what you're looking for:

group-policy GroupPolicy_ZSSL attributes

wins-server none

dns-server value 192.168.1.8 192.168.1.47

vpn-tunnel-protocol ikev2 ssl-client

default-domain value company.com

webvpn

anyconnect profiles value ZSSL_client_profile type user

username company password xxxxxxxxxxxxxx encrypted privilege 15

tunnel-group companyVPN type remote-access

tunnel-group companyVPN general-attributes

address-pool VPNPool

authentication-server-group MicrosoftIAS LOCAL

accounting-server-group MicrosoftIAS

default-group-policy companyVPN

password-management

tunnel-group companyVPN ipsec-attributes

ikev1 pre-shared-key *****

Julio Carvajal · ‎02-20-2012

Hello Greg,

Please add the following

nat (outside) 1 x.x.x.x ( VPN IPSEC client pool)

global (outside) 1 interface

Then give it a try!

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

greggeesaman · ‎02-22-2012

Sorry, I didn't get to this yesterday.

Adding the NAT statement above gives me the error:

ERROR: This syntax of nat command has been deprecated.

Please refer to "help nat" command for more details.

I'm running an ASA 5510 with 8.4(3); I guess I need to figure out the format that it will accept.

Julio Carvajal · ‎02-22-2012

Hello Greg,

Object network Ipsec_client

subnet 192.168.12.0 255.255.255.0

nat (outside,outside ) source dynamic Ipsec_client interface

Do rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC