Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Relay traffic out same interface

Is it possible to relay traffic out of the same interface?  For instance we have a computer on the Internet that only is accessible from our network.  I'd like users to connect to our network, look at the ACL, and then connect to the remote computer.  So basically I'm going right back out the same interface.  VPN->outside interface->Internet.  I'd still want split tunneling to be enabled and have this apply to only a specific IP or subnet.   Is this possible?

7 REPLIES

Relay traffic out same interface

Hello Greg,

So you are looking for the U-turning traffic feature.

All you need to allow packets to go to an interface and then go back the same interface is the same security permit command.

Regards,

Do rate helpful posts!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Relay traffic out same interface

Thanks for the reply.

I issued the same-security-traffic permit intra-interface command on my outside interface and gave the VPN client a static route for the IP telling it send traffic over the VPN, but I'm not able to connect.  Is this the correct command and the correct way to issue it?

I found this article on Cisco's site:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

Relay traffic out same interface

Hello Greg,

Please provide the following packet tracer

-packet-tracer input outside tcp x.x.x.x (vpn client ip) 1025 4.2.2.2 80

Can you provide the VPN configuration as well ( I want to see the tunnel-group and Group-policy configuration!

Regards,

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Relay traffic out same interface

This is the packet tracer result:

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

I can see the traffic comming from the VPN client to the IP, so the route is working.  I get a teardown and built message in the log, but nothing saying the traffic is denied.

I think this info should cover what you're looking for:

group-policy GroupPolicy_ZSSL attributes

wins-server none

dns-server value 192.168.1.8 192.168.1.47

vpn-tunnel-protocol ikev2 ssl-client

default-domain value company.com

webvpn

anyconnect profiles value ZSSL_client_profile type user

username company password xxxxxxxxxxxxxx encrypted privilege 15

tunnel-group companyVPN type remote-access

tunnel-group companyVPN general-attributes

address-pool VPNPool

authentication-server-group MicrosoftIAS LOCAL

accounting-server-group MicrosoftIAS

default-group-policy companyVPN

password-management

tunnel-group companyVPN ipsec-attributes

ikev1 pre-shared-key *****

Relay traffic out same interface

Hello Greg,

Please add the following

nat (outside) 1 x.x.x.x ( VPN IPSEC client pool)

global (outside) 1 interface

Then give it a try!

Regards,

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Relay traffic out same interface

Sorry, I didn't get to this yesterday.

Adding the NAT statement above gives me the error:

ERROR: This syntax of nat command has been deprecated.

Please refer to "help nat" command for more details.

I'm running an ASA 5510 with 8.4(3); I guess I need to figure out the format that it will accept.

Relay traffic out same interface

Hello Greg,

Object network Ipsec_client

subnet 192.168.12.0 255.255.255.0

nat (outside,outside ) source dynamic Ipsec_client interface

Do rate helpful posts

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
495
Views
0
Helpful
7
Replies
CreatePlease login to create content