09-29-2008 12:51 PM - edited 03-11-2019 06:50 AM
Right now, I have a PIX that tunnels back to another network for only certain private subnets. For all other traffic, they go straight out to the web. I want to force that other non-VPN traffic to go to one public address only.
I would like to do this after the VPN connection is established, so I know a simple route will not work.
Your help is appreciated.
09-29-2008 10:05 PM
with router u could do it thorugh PBR policy based roting but this featur not avaible on ASA or PIX
but what u can do is
in ur vpn ACL and no nat ( NAT 0) include only the IPs or networks that needed to use VPN tunnel
on ur NATing or PATing to internat deny the traffic going from ur site to remote site through extended ACL then permit any
this why u will NAT/PAT all other traffic to internet
good luck
if helpful Rate
09-30-2008 08:05 AM
Below is what I am currently doing from an ACL standpoint. Can you give me a config example on what I need to change/add?
access-list outside_access_in extended permit icmp any any
access-list inside_outbound_nat0_acl extended permit ip LOCALNET 255.255.255.0 ElginInternal 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip LOCALNET 255.255.255.0 HESNET 255.252.0.0
access-list inside_outbound_nat0_acl extended permit ip LOCALNET 255.255.255.0 CCVPNNET 255.252.0.0
access-list inside_outbound_nat0_acl extended permit ip LOCALNET 255.255.255.0 IndyInternal 255.255.255.0
access-list outside_cryptomap_20 remark Tunnel to Elgin
access-list outside_cryptomap_20 extended permit ip LOCALNET 255.255.255.0 ElginInternal 255.255.255.0
access-list outside_cryptomap_20 remark Tunnel to HES
access-list outside_cryptomap_20 extended permit ip LOCALNET 255.255.255.0 HESNET 255.252.0.0
access-list outside_cryptomap_20 remark Tunnel to CCVPN Sites
access-list outside_cryptomap_20 extended permit ip LOCALNET 255.255.255.0 CCVPNNET 255.252.0.0
access-list outside_cryptomap_20 remark Tunnel to Indy
access-list outside_cryptomap_20 extended permit ip LOCALNET 255.255.255.0 IndyInternal 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide