Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
0
Helpful
2
Replies

Route all Non-VPN traffic to one address PIX 501

Matt.Fields
Level 1
Level 1

‎09-29-2008 12:51 PM - edited ‎03-11-2019 06:50 AM

Right now, I have a PIX that tunnels back to another network for only certain private subnets. For all other traffic, they go straight out to the web. I want to force that other non-VPN traffic to go to one public address only.

I would like to do this after the VPN connection is established, so I know a simple route will not work.

Your help is appreciated.

Labels:
0 Helpful
2 Replies 2

Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-29-2008 10:05 PM

with router u could do it thorugh PBR policy based roting but this featur not avaible on ASA or PIX

but what u can do is

in ur vpn ACL and no nat ( NAT 0) include only the IPs or networks that needed to use VPN tunnel

on ur NATing or PATing to internat deny the traffic going from ur site to remote site through extended ACL then permit any

this why u will NAT/PAT all other traffic to internet

good luck

if helpful Rate

0 Helpful

Matt.Fields
Level 1
Level 1
In response to Marwan ALshawi

‎09-30-2008 08:05 AM

Below is what I am currently doing from an ACL standpoint. Can you give me a config example on what I need to change/add?

access-list outside_access_in extended permit icmp any any

access-list inside_outbound_nat0_acl extended permit ip LOCALNET 255.255.255.0 ElginInternal 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip LOCALNET 255.255.255.0 HESNET 255.252.0.0

access-list inside_outbound_nat0_acl extended permit ip LOCALNET 255.255.255.0 CCVPNNET 255.252.0.0

access-list inside_outbound_nat0_acl extended permit ip LOCALNET 255.255.255.0 IndyInternal 255.255.255.0

access-list outside_cryptomap_20 remark Tunnel to Elgin

access-list outside_cryptomap_20 extended permit ip LOCALNET 255.255.255.0 ElginInternal 255.255.255.0

access-list outside_cryptomap_20 remark Tunnel to HES

access-list outside_cryptomap_20 extended permit ip LOCALNET 255.255.255.0 HESNET 255.252.0.0

access-list outside_cryptomap_20 remark Tunnel to CCVPN Sites

access-list outside_cryptomap_20 extended permit ip LOCALNET 255.255.255.0 CCVPNNET 255.252.0.0

access-list outside_cryptomap_20 remark Tunnel to Indy

access-list outside_cryptomap_20 extended permit ip LOCALNET 255.255.255.0 IndyInternal 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card