05-29-2013 12:49 PM - edited 03-04-2019 08:03 PM
Hi,
I have a connection to the remote site over VPN.
and I need to alow any traffic from my inside network to address 172.16.1.1 . All other traffic need to go over vpn.(other side of VPN 192.160.20.0)
interface GigabitEthernet0/0
ip address A.B.C.D 255.255.255.252
duplex auto
ip nat outside
speed auto
crypto map VPN_site
!
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
!
ip forward-protocol nd
!
ip nat pool IzlazTerminali interface GigabitEthernet 0/0
ip nat inside source list out_1 pool EXIT overload
!
ip route 0.0.0.0 0.0.0.0 A.B.C.D1
!
ip access-list extended VPN_site
permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.20.255
permit ip 192.168.1.0 0.0.0.255 host .x.x.x.x
ip access-list extended out_1
permit ip 192.168.1.0 0.0.0.255 host 172.16.1.1
but now there is no access to the internet via vpn!!!
05-29-2013 01:22 PM
Hi Aleksandar,
it depends on how your cryptomap is configured.
All interesting traffic destined to 192.168.20.0 should go via VPN and rest of traffic have to go via 172.16.1.1 which is probably your internet GW right?
Please provide VPN configuration or whole config of ASA.
crypto map mymap 10 match address 101access-list 101 permit ip 192.169.1.0 0.0.0.255 192.168.20.0 0.0.15.255
Also your wildcard mask is little bit interesting 0.0.20.255
Thanks.
Best Regards,
Jan
05-29-2013 01:35 PM
can he just use a static route to point all 192.168.20.0 network to the next hop (172.16.1.1) and then foward all normal traffic (0.0.0.0) to the GW?
that is, unless he wants all traffic inspected by the other end in regards to the firewall and such. but, we dont know much other than vauge details. (are we even sure the crypto map is working and assocating past phase 1, and 2?)
05-30-2013 12:29 AM
My crypto map alow all traffic from my inside network to my remote office.
But I want to when they want to go to a specific address to have direct access to the internet and not via VPN.
05-30-2013 03:56 AM
Hi Aleksandar,
i am not sure what do you mean.
If your cryptomap match interested traffic so it is sent via VPN tunnel. And you say that it is so.
So if somebody want contact 192.168.20.0 network it goes via VPN. Rest of traffic should go via deafult GW.
Please provide more details for investigation.
This discussion should be moved to VPN
Best Regards,
Jan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide