Route all Non-VPN traffic to one address PIX 501

Unanswered Question

Right now, I have a PIX that tunnels back to another network for only certain private subnets. For all other traffic, they go straight out to the web. I want to force that other non-VPN traffic to go to one public address only.


I would like to do this after the VPN connection is established, so I know a simple route will not work.


Your help is appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Mon, 09/29/2008 - 22:05
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

with router u could do it thorugh PBR policy based roting but this featur not avaible on ASA or PIX


but what u can do is

in ur vpn ACL and no nat ( NAT 0) include only the IPs or networks that needed to use VPN tunnel


on ur NATing or PATing to internat deny the traffic going from ur site to remote site through extended ACL then permit any

this why u will NAT/PAT all other traffic to internet


good luck

if helpful Rate

Below is what I am currently doing from an ACL standpoint. Can you give me a config example on what I need to change/add?


access-list outside_access_in extended permit icmp any any

access-list inside_outbound_nat0_acl extended permit ip LOCALNET 255.255.255.0 ElginInternal 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip LOCALNET 255.255.255.0 HESNET 255.252.0.0

access-list inside_outbound_nat0_acl extended permit ip LOCALNET 255.255.255.0 CCVPNNET 255.252.0.0

access-list inside_outbound_nat0_acl extended permit ip LOCALNET 255.255.255.0 IndyInternal 255.255.255.0

access-list outside_cryptomap_20 remark Tunnel to Elgin

access-list outside_cryptomap_20 extended permit ip LOCALNET 255.255.255.0 ElginInternal 255.255.255.0

access-list outside_cryptomap_20 remark Tunnel to HES

access-list outside_cryptomap_20 extended permit ip LOCALNET 255.255.255.0 HESNET 255.252.0.0

access-list outside_cryptomap_20 remark Tunnel to CCVPN Sites

access-list outside_cryptomap_20 extended permit ip LOCALNET 255.255.255.0 CCVPNNET 255.252.0.0

access-list outside_cryptomap_20 remark Tunnel to Indy

access-list outside_cryptomap_20 extended permit ip LOCALNET 255.255.255.0 IndyInternal 255.255.255.0


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Actions

This Discussion