We already have ISE IPN on this ASA for our VPN users, but now we want to migrate it to be our Internet firewall as well.
The issue we have is that for the IPN to work, the 'inside' interface of the ASA and the 'outside' or 'untrusted' interface of the IPN have to be on the same network, so we setup two ports on the core switch to be their own VLAN. In this way any and all traffic travels through the IPN on its way to and from the ASA. It was explained to me it had to be this way for the ISE/NAC posturing.
So right now we have static routes in the ASA pointing default to the 'outside' ASA interface, and then specific internal IPs routed through the 'inside' interface to the IPN to get to the internal network.
Speaking with a Cisco tech the other day they suggested using a 'tunneled' route that would force all the VPN traffic to use the default route to the IPN, and then I could setup all my other routes to the 'new-internal' interface and that is how my non-VPN related traffic would get around.
I tried this approach yesterday, and as soon as I removed my big internal route, my VPN users complained that they lost internal connectivity.
Can anyone lend me some options here?
