cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
319
Views
0
Helpful
3
Replies
Highlighted
Beginner

Cisco ASA 5505 VPN. How can I match all traffic in crypto map besides special IPs ?

object network obj-any
subnet 0.0.0.0 0.0.0.0
object network inside-net
subnet 192.168.208.0 255.255.255.240

object-group network GO-nets
network-object 172.16.0.0 255.240.0.0



nat (inside,outside) source static inside-net inside-net destination static GO-nets GO-nets no-proxy-arp route-lookup description NoNAT

access-list 102 extended permit ip object inside-net object-group GO-nets



crypto ipsec ikev2 ipsec-proposal desv2
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 20 match address 102
crypto map outside_map 20 set pfs group5
crypto map outside_map 20 set peer **** 
crypto map outside_map 20 set ikev2 ipsec-proposal desv2
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 20

This is a part of my cisco ASA's VPN configuration. In this version inside netwok is NATed dynamic outside interface, and traffic to 172.16.0.0/12 forward into VPN. 
How can I forward 0.0.0.0/0 traffic to this VPN bedides special IP? For example, I want source inside-net destination 0.0.0.0/0  forward to our central corporate firewall by VPN, but 8.8.8.8:53 don't want forward that way, I want 8.8.8.8:53 forward Cisco ASA's  outside interface and NATed dynamic. 

I need route all internet traffic from Cisco ASA's inside net to our central FW for monitoring and policing. 

And sorry for my english, guys. I hope you understand what I mean. 

 

Unfortunately, Cisco ASA 5505 doesn't not support VTI interfaces. 

 

3 REPLIES 3
Highlighted
Beginner

Hi!

Looks like you are using ACL 102 to match the Traffic which will be protected (routed in to the Tunnel)...

You just need to extend this ACL to match all traffic you want to go over the tunnel.

You can add a "deny" line for traffic from inside network to Google DNS (meaning it won't go over the tunnel).

And then add a "permit" statement for inside network to any :)

Hope that helps, let me know what you think.

Best regards
Juls

Highlighted
Beginner

from the configuration , the NAT exemption using Manual NAT Policies (Section 1)
ASA allots each configured NAT rule into one of the three sections:
Section 1 – Manual NAT Policies
Section 2 – Auto NAT Policies
Section 3 – Manual NAT Policies
Section 1 is similar to ACL, hit the any one (number) will stop (not walk thought all of ACL #)
U can do following

object-group network 8.8.8.8.Obj
description GoogleDns
network-object host 8.8.8.8

nat (inside,outside) source dynamic inside-net interface destination static 8.8.8.8.Obj 8.8.8.8.Obj no-proxy-arp route-lookup description GoogleDns
nat (inside,outside) source static inside-net inside-net destination static GO-nets GO-nets no-proxy-arp route-lookup description NoNAT
Highlighted
VIP Advisor

Hi,

For the traffic that you don't want to pass over VPN, deny it from crypto
ACL. Then put the last statement in the crypto ACL to encrypt remaining
traffic

***** please remember to rate useful posts
Content for Community-Ad