02-20-2012 08:46 AM - edited 03-11-2019 03:32 PM
Is it possible to relay traffic out of the same interface? For instance we have a computer on the Internet that only is accessible from our network. I'd like users to connect to our network, look at the ACL, and then connect to the remote computer. So basically I'm going right back out the same interface. VPN->outside interface->Internet. I'd still want split tunneling to be enabled and have this apply to only a specific IP or subnet. Is this possible?
02-20-2012 09:49 AM
Hello Greg,
So you are looking for the U-turning traffic feature.
All you need to allow packets to go to an interface and then go back the same interface is the same security permit command.
Regards,
Do rate helpful posts!
02-20-2012 11:27 AM
Thanks for the reply.
I issued the same-security-traffic permit intra-interface command on my outside interface and gave the VPN client a static route for the IP telling it send traffic over the VPN, but I'm not able to connect. Is this the correct command and the correct way to issue it?
I found this article on Cisco's site:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
02-20-2012 11:40 AM
Hello Greg,
Please provide the following packet tracer
-packet-tracer input outside tcp x.x.x.x (vpn client ip) 1025 4.2.2.2 80
Can you provide the VPN configuration as well ( I want to see the tunnel-group and Group-policy configuration!
Regards,
02-20-2012 12:29 PM
This is the packet tracer result:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I can see the traffic comming from the VPN client to the IP, so the route is working. I get a teardown and built message in the log, but nothing saying the traffic is denied.
I think this info should cover what you're looking for:
group-policy GroupPolicy_ZSSL attributes
wins-server none
dns-server value 192.168.1.8 192.168.1.47
vpn-tunnel-protocol ikev2 ssl-client
default-domain value company.com
webvpn
anyconnect profiles value ZSSL_client_profile type user
username company password xxxxxxxxxxxxxx encrypted privilege 15
tunnel-group companyVPN type remote-access
tunnel-group companyVPN general-attributes
address-pool VPNPool
authentication-server-group MicrosoftIAS LOCAL
accounting-server-group MicrosoftIAS
default-group-policy companyVPN
password-management
tunnel-group companyVPN ipsec-attributes
ikev1 pre-shared-key *****
02-20-2012 01:08 PM
Hello Greg,
Please add the following
nat (outside) 1 x.x.x.x ( VPN IPSEC client pool)
global (outside) 1 interface
Then give it a try!
Regards,
02-22-2012 06:02 AM
Sorry, I didn't get to this yesterday.
Adding the NAT statement above gives me the error:
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.
I'm running an ASA 5510 with 8.4(3); I guess I need to figure out the format that it will accept.
02-22-2012 11:51 AM
Hello Greg,
Object network Ipsec_client
subnet 192.168.12.0 255.255.255.0
nat (outside,outside ) source dynamic Ipsec_client interface
Do rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: