if you could send configs, that would be awesome. From your explanation, it sounds kind of like what i had in mind.
My thoughts on traffic flow would go something like this...
- inbound traffic to an internal server would flow through an internal interface, going around the IPEP.
- outbound internet destined traffic would also go around the IPEP to the internal ASA interface.
- outbound VPN traffic (returning to the VPN client) would be routed to the IPEP.
- my confusion is in regards to traffic coming from the VPN client. If traffic to an internal server goes through the internal interface, how do we force the client to redirect to posture? Also, traffic then going to the server will also be asymmetrically routed back through the IPEP....
I supposed i just need to see a config to understand. Look forward to your next post and thanks much!!!
Sorry, for some reason I didn't see this reply/question.
We did find a solution, and PBR was not it. That might have worked for other situations, and possibly ours if we had time to really map it out.
But what we ended up doing, was creating sub-interfaces on the ASA, for our INSIDE, ISE, and another internal VLAN.
So now all our normal firewall traffic flows across the INSIDE sub-interface and the VPN/ISE traffic flows across teh ISE sub-interface.
Would be happy to share our configs if you wish.
This solution will not work if you plan on adding internet firewall services for the vpn users. I ran into the same issue and in my lab I run wccp so the inet traffic is proxied. Basically you run into issues with symmectric routing and the connection table being outnor sync if you route all traffic through the ipep and then inet traffic out the same firewall.
Sent from Cisco Technical Support Android App