object network obj-any subnet 0.0.0.0 0.0.0.0 object network inside-net subnet 192.168.208.0 255.255.255.240 object-group network GO-nets network-object 172.16.0.0 255.240.0.0 nat (inside,outside) source static inside-net inside-net destination static GO-nets GO-nets no-proxy-arp route-lookup description NoNAT access-list 102 extended permit ip object inside-net object-group GO-nets crypto ipsec ikev2 ipsec-proposal desv2 protocol esp encryption aes-256 protocol esp integrity sha-1 crypto ipsec security-association pmtu-aging infinite crypto map outside_map 20 match address 102 crypto map outside_map 20 set pfs group5 crypto map outside_map 20 set peer **** crypto map outside_map 20 set ikev2 ipsec-proposal desv2 crypto map outside_map 20 set security-association lifetime seconds 28800 crypto map outside_map interface outside crypto ca trustpool policy crypto ikev2 policy 20
This is a part of my cisco ASA's VPN configuration. In this version inside netwok is NATed dynamic outside interface, and traffic to 172.16.0.0/12 forward into VPN.
How can I forward 0.0.0.0/0 traffic to this VPN bedides special IP? For example, I want source inside-net destination 0.0.0.0/0 forward to our central corporate firewall by VPN, but 18.104.22.168:53 don't want forward that way, I want 22.214.171.124:53 forward Cisco ASA's outside interface and NATed dynamic.
I need route all internet traffic from Cisco ASA's inside net to our central FW for monitoring and policing.
And sorry for my english, guys. I hope you understand what I mean.
Unfortunately, Cisco ASA 5505 doesn't not support VTI interfaces.
Looks like you are using ACL 102 to match the Traffic which will be protected (routed in to the Tunnel)...
You just need to extend this ACL to match all traffic you want to go over the tunnel.
You can add a "deny" line for traffic from inside network to Google DNS (meaning it won't go over the tunnel).
And then add a "permit" statement for inside network to any :)
Hope that helps, let me know what you think.