Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
350
Views
0
Helpful
4
Replies

NAT - VPN - routing

acazarkov
Level 1
Level 1

‎05-29-2013 12:49 PM - edited ‎03-04-2019 08:03 PM

Hi,

I have a connection to the remote site over VPN.

and I need to alow any traffic from my inside network to address 172.16.1.1  . All other traffic need to go over vpn.(other side of VPN 192.160.20.0)

interface GigabitEthernet0/0

ip address A.B.C.D 255.255.255.252

duplex auto

ip nat outside

speed auto

crypto map VPN_site

!

!

interface GigabitEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

!

ip forward-protocol nd

!

ip nat pool IzlazTerminali interface GigabitEthernet 0/0

ip nat inside source list out_1 pool EXIT overload

!

ip route 0.0.0.0 0.0.0.0 A.B.C.D1

!

ip access-list extended VPN_site

permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.20.255

permit ip 192.168.1.0 0.0.0.255 host .x.x.x.x

ip access-list extended out_1

permit ip 192.168.1.0 0.0.0.255 host 172.16.1.1

but now there is no access to the internet via vpn!!!

Labels:
0 Helpful
4 Replies 4

Jan Rolny
Level 3
Level 3

‎05-29-2013 01:22 PM

Hi Aleksandar,

it depends on how your cryptomap is configured.

All interesting traffic destined to 192.168.20.0 should go via VPN and rest of traffic have to go via 172.16.1.1 which is probably your internet GW right?

Please provide VPN configuration or whole config of ASA.

crypto map mymap 10 match address 101

access-list 101 permit ip 192.169.1.0 0.0.0.255 192.168.20.0 0.0.15.255

Also your wildcard mask is little bit interesting 0.0.20.255

Thanks.

Best Regards,

Jan

0 Helpful

Mark Graham
Level 1
Level 1
In response to Jan Rolny

‎05-29-2013 01:35 PM

can he just use a static route to point all 192.168.20.0 network to the next hop (172.16.1.1)  and then foward all normal traffic (0.0.0.0)  to the GW? 

that is, unless he wants all traffic inspected by the other end in regards to the firewall and such.  but, we dont know much other than vauge details.  (are we even sure the crypto map is working and assocating past phase 1, and 2?) 

0 Helpful

acazarkov
Level 1
Level 1
In response to Mark Graham

‎05-30-2013 12:29 AM

My crypto map alow all traffic from my inside network to my remote office.

But I want to when they want to go to a specific address to have direct access  to the internet and not via VPN.


0 Helpful

Jan Rolny
Level 3
Level 3
In response to acazarkov

‎05-30-2013 03:56 AM

Hi Aleksandar,

i am not sure what do you mean.

If your cryptomap match interested traffic so it is sent via VPN tunnel. And you say that it is so.

So if somebody want contact 192.168.20.0 network it goes via VPN. Rest of traffic should go via deafult GW.

Please provide more details for investigation.

This discussion should be moved to VPN

Best Regards,

Jan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card