01-31-2011 01:29 AM
I have set up Remote Access VPN using Cisco VPN.
We use split tunneling to tunel internal IP range to VPN tunnel only.
Now I need to route specific IP address from Cisco VPN Client side
to internal network and through it to Internet.
I have added that specific IP address to split tunell ACL
I can check it using Cisco VPN Client, Status > Statistics, Route Details,
but when I traceroute to that specific IP address it ends on
first hop, ASA public interface.
ASA has 0.0.0.0/0 route set.
What more do I need to set up?
Solved! Go to Solution.
01-31-2011 10:45 AM
Hi,
If you need to allow the VPN client to connect to the ASA and u-turn to the Internet you need:
same-security-traffic permit intra-interface
Also, make sure you NAT the traffic:
nat (outside) 1 VPN-range
global (outside) 1 interface
Be careful with the NAT commands above (is just an example and depends on your configuration).
Federico.
01-31-2011 10:45 AM
Hi,
If you need to allow the VPN client to connect to the ASA and u-turn to the Internet you need:
same-security-traffic permit intra-interface
Also, make sure you NAT the traffic:
nat (outside) 1 VPN-range
global (outside) 1 interface
Be careful with the NAT commands above (is just an example and depends on your configuration).
Federico.
01-31-2011 11:35 PM
I already had
same-security-traffic permit intra-interface
in my configuration but NAT was the issue. I had
nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl_no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0
but
nat (outside) 1 172.27.127.0 255.255.255.0
(VPN address range) was missing.
Thanks for the clue!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: