×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Vpn IPsec Fallback to internet

Unanswered Question
Nov 11th, 2013
User Badges:

Hi all,


I created an Ipsec tunnel with Nat-Transversal between our Lan and a remote server (called here remote_vpn) to access Internet .

The Pcs behind the dmz interface use Dhcp (in the network range called dmz-network here) and go to Internet by using the Ipsec tunnel.


The tunnel is working most of time but when the tunnel goes down (due to remote server issue), Pcs don't have Internet access at all although they can use direct Internet access (without going through the ipsec tunnel) . Here is the nat rules i use to allow pc in the dmz_network range to go through the tunnel


+++++++++++++++++++++++++++++++++++++++++++++++++

Section 1

ciscoasa1# sh run nat

nat (dmz,outside) source dynamic dmz-network remote_vpn interface destination static remote_vpn remote_vpn

!

+++++++++++++++++++++++++++++++++++++++++++++++++


To allow access when ipsec is down i add manually the rule below.

But when i add this nat rule below (in section 3) after the nat used for vpn above (section 1)

all the traffic goes directly to internet and doesn't go through IPsec tunnel when he is up again .



++++++++++++++++++++++++++++++++++++++++++++++++

Section 3 Pat rule:

nat (dmz,outside) after-auto source dynamic dmz-network interface

+++++++++++++++++++++++++++++++++++++++++++++++++


I would like that the Pc go to internet directly when the tunnel is down and then use the tunnel to go to internet when the tunnel is up again.


Thanks in advance


Alex

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion

Related Content