Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
5
Helpful
4
Replies

Cisco ASA VTI VPN route specific IP to outside

chrisbuchner
Level 1
Level 1

‎07-21-2022 12:35 AM

Hi Experts,

I would like to know what would be the right config to reroute specific IP addresses to the outside for a subnet on the inside whilst having the rest of the traffic go over the VTI tunnel.

Currently all traffic is going over the VTI tunnel but there could come a day where a specific IP needs to break out directly over the local outside interface which is a static IP.

Currently I am using no ACL's etc as all traffic is just routed over the Ikev2 VTI tunnel.

My best guess is to have possibly ACL's to allow the local Subnet to go to the Outside Public IP's + Set the routes for the Public IP's/websites to the outside interface, and maybe a NAT? But I am not too sure what that would look like all together?

object network LAN

subnet 10.0.0.0 255.255.255.0

object-group network Websites

network-object 8.8.8.8 255.255.255.255

network-object 123.123.123.123 255.255.255.255

network-object 123.123.123.132 255.255.255.255

access-list inside_in extended permit tcp object LAN object-group Websites eq https

access-list inside_in extended permit tcp object LAN object-group Websites eq www

access-list inside_in extended permit icmp object LAN object-group Websites

access-list from_outside extended permit tcp object-group Websites object LAN eq https

access-list From_outside extended permit tcp object-group Websites object LAN eq www

access-list From_outside extended permit icmp object-group Websites object LAN

Nat????

Thanks for your assistance!

 

Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎07-21-2022 01:03 AM

Use pbr here.

Only specific traffic will pass through vti.

0 Helpful

chrisbuchner
Level 1
Level 1
In response to MHM Cisco World

‎07-21-2022 01:34 AM

Excellent, Thanks for the pointer. 

Might be a dumb question but without NAT how would the local subnet be allowed to reach the websites or do I add a general NAT since it will only be used for the specific IPs going over Inside to outside and the rest will be unnatted over the VTI?

MHM Cisco World
VIP
VIP
In response to chrisbuchner

‎07-21-2022 01:40 AM

Traffic pass through vti will not nat.

Only traffic go directly will be nat.

0 Helpful

chrisbuchner
Level 1
Level 1
In response to MHM Cisco World

‎07-21-2022 01:47 AM

Last question, Do I have to add NAT or because of policy map it will automatically be natted based on INSIDE subnet in policy going to outside public IP?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card