Solved: how to route specific IP through VPN tunnel

rga-rga-rga · ‎01-31-2011

I have set up Remote Access VPN using Cisco VPN.
We use split tunneling to tunel internal IP range to VPN tunnel only.
Now I need to route specific IP address from Cisco VPN Client side
to internal network and through it to Internet.
I have added that specific IP address to split tunell ACL
I can check it using Cisco VPN Client, Status > Statistics, Route Details,
but when I traceroute to that specific IP address it ends on
first hop, ASA public interface.
ASA has 0.0.0.0/0 route set.
What more do I need to set up?

Federico Coto Fajardo · ‎01-31-2011

Hi,

If you need to allow the VPN client to connect to the ASA and u-turn to the Internet you need:

same-security-traffic permit intra-interface

Also, make sure you NAT the traffic:

nat (outside) 1 VPN-range

global (outside) 1 interface

Be careful with the NAT commands above (is just an example and depends on your configuration).

Federico.

View solution in original post

Federico Coto Fajardo · ‎01-31-2011

Hi,

If you need to allow the VPN client to connect to the ASA and u-turn to the Internet you need:

same-security-traffic permit intra-interface

Also, make sure you NAT the traffic:

nat (outside) 1 VPN-range

global (outside) 1 interface

Be careful with the NAT commands above (is just an example and depends on your configuration).

Federico.

rga-rga-rga · ‎01-31-2011

I already had

same-security-traffic permit intra-interface

in my configuration but NAT was the issue. I had

nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl_no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0

but

nat (outside) 1 172.27.127.0 255.255.255.0

(VPN address range) was missing.

Thanks for the clue!