Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
886
Views
0
Helpful
3
Replies

Cisco ASA 5505 VPN. How can I match all traffic in crypto map besides special IPs ?

Vladimir Fomin
Level 1
Level 1

‎08-09-2020 01:21 AM 

object network obj-any
subnet 0.0.0.0 0.0.0.0
object network inside-net
subnet 192.168.208.0 255.255.255.240

object-group network GO-nets
network-object 172.16.0.0 255.240.0.0



nat (inside,outside) source static inside-net inside-net destination static GO-nets GO-nets no-proxy-arp route-lookup description NoNAT

access-list 102 extended permit ip object inside-net object-group GO-nets



crypto ipsec ikev2 ipsec-proposal desv2
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 20 match address 102
crypto map outside_map 20 set pfs group5
crypto map outside_map 20 set peer **** 
crypto map outside_map 20 set ikev2 ipsec-proposal desv2
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 20

This is a part of my cisco ASA's VPN configuration. In this version inside netwok is NATed dynamic outside interface, and traffic to 172.16.0.0/12 forward into VPN. 
How can I forward 0.0.0.0/0 traffic to this VPN bedides special IP? For example, I want source inside-net destination 0.0.0.0/0  forward to our central corporate firewall by VPN, but 8.8.8.8:53 don't want forward that way, I want 8.8.8.8:53 forward Cisco ASA's  outside interface and NATed dynamic. 

I need route all internet traffic from Cisco ASA's inside net to our central FW for monitoring and policing. 

And sorry for my english, guys. I hope you understand what I mean. 

 

Unfortunately, Cisco ASA 5505 doesn't not support VTI interfaces. 

 

Labels:
0 Helpful
3 Replies 3

julian.bendix
Level 3
Level 3

‎08-09-2020 07:52 AM

Hi!

Looks like you are using ACL 102 to match the Traffic which will be protected (routed in to the Tunnel)...

You just need to extend this ACL to match all traffic you want to go over the tunnel.

You can add a "deny" line for traffic from inside network to Google DNS (meaning it won't go over the tunnel).

And then add a "permit" statement for inside network to any :)

Hope that helps, let me know what you think.

Best regards
Juls

0 Helpful

pccw258103
Level 1
Level 1

‎08-09-2020 11:15 PM

from the configuration , the NAT exemption using Manual NAT Policies (Section 1)
ASA allots each configured NAT rule into one of the three sections:
Section 1 – Manual NAT Policies
Section 2 – Auto NAT Policies
Section 3 – Manual NAT Policies
Section 1 is similar to ACL, hit the any one (number) will stop (not walk thought all of ACL #)
U can do following

object-group network 8.8.8.8.Obj
description GoogleDns
network-object host 8.8.8.8

nat (inside,outside) source dynamic inside-net interface destination static 8.8.8.8.Obj 8.8.8.8.Obj no-proxy-arp route-lookup description GoogleDns
nat (inside,outside) source static inside-net inside-net destination static GO-nets GO-nets no-proxy-arp route-lookup description NoNAT
0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎08-09-2020 11:29 PM

Hi,

For the traffic that you don't want to pass over VPN, deny it from crypto
ACL. Then put the last statement in the crypto ACL to encrypt remaining
traffic

***** please remember to rate useful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents