Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1457
Views
0
Helpful
5
Replies

cisco asa redirect traffic on public IP to host behind vpn

mohitvicky
Level 1
Level 1

‎06-12-2014 05:53 AM - edited ‎03-04-2019 11:08 PM

I have a VPN connection on my cisco asa 5510 device.

Trying to do following:

1) redirect all traffic coming from VPN tunnel on encryption domain(202.x.x.1) of VPN connection to a internet host (like example.com)

VPN tunnel ==> encryption domain (202.x.x.1) ==> example.com

2) redirect traffic coming on second public IP (202.x.x.2) from internet, to a host behind VPN (private IP 10.x.x.1)

Internet ==> my public IP (202.x.x.2) ==> VPN tunnel ==> host behind vpn 10.x.x.1)

Is this possible to achieve, if yes kindly share how.

Thanks in advance.

Labels:
0 Helpful
5 Replies 5

Rahul Kumar Mishra
Level 1
Level 1

‎06-12-2014 06:35 AM

Hi Mohit,

 

As per your statements it seems you have two interfaces connected with internet.

1. To allow traffic from vpn connection (via 202.x.x.1) to example.com you need to add static route for example.com through 202.x.x.2.You can also achieve the same if you enable split tunneling for vpn connections on ASA 5510. Then traffic for internet will not come to ASA 5510 however it will be sent through remote user's internet connection.

 

2. For 2nd scenario you can achieve it by adding access-list on second internet interface to allow traffic from second internet connection to vpn-connection pool.

 

0 Helpful

mohitvicky
Level 1
Level 1
In response to Rahul Kumar Mishra

‎06-12-2014 07:36 AM

Hi

No, I don't have 2 interfaces connected to internet. 

It's only 1 interface (outside) connected to internet, with 1 static public IP + public address pool x.x.x.x/28

And i cannot use split tunnelling because host behind VPN doesn't have internet (blocked by partner). So only way to reach is via my firewall.

I hope the scenario is clear.

0 Helpful

Rahul Kumar Mishra
Level 1
Level 1
In response to mohitvicky

‎06-13-2014 12:53 AM

Where have you configured two public IPs 202.x.x.1 and 202.x.x.2?

Can you share diagram?
 

0 Helpful

Rahul Kumar Mishra
Level 1
Level 1
In response to Rahul Kumar Mishra

‎06-13-2014 12:55 AM

Also please check if "same-security-traffic permit intra-interface"  is enabled on your firewall.

0 Helpful

mohitvicky
Level 1
Level 1
In response to Rahul Kumar Mishra

‎06-17-2014 08:54 PM

Hi

I've attached a simple diagram [excuse my drawing skills :) ]

so the goal is to establish tunnel with peer IPs 165.x.x.146 <==> 212.x.x.123

Encryption domain IP (or source IP) on cisco asa side will be 203.x.x.143.

10.x.x.70 will send traffic to 203.x.x.134 which should be forwarded to 54.x.x.168 on internet.

 

Please note 10.x.x.70 does not have internet connectivity, it can send traffic only to 203.x.x.143 via ipsec tunnel. 

 

 

Preview file
50 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card