Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing traffic for a specific user through Ipsec vpn

I would like to route traffic for a particular host on the internet (e.g 9.9.9.9) through our outside interface (e.g. 7.7.7.0/27) instead of client's internet connection.

I already added 9.9.9.9 to the split dns acl so that the route is inserted on client's workstation and a default route on the outside interface is set as follows:

CISCOASA# sh run | i route outside

route outside 0.0.0.0 0.0.0.0 7.7.7.30 1

Nat config

object network obj-InsideNetworks

nat (inside,outside) dynamic 7.7.7.3

No nat

nat (inside,any) source static obj-InsideNetworks obj-InsideNetworks destination static inside-DEST-NONAT inside-DEST-NONAT no-proxy-arp

object network obj-InsideNetworks

range 10.0.1.0 10.0.255.255

object-group network inside-DEST-NONAT

network-object 10.0.3.0 255.255.255.0

network-object 10.0.2.0 255.255.255.0

network-object 10.10.10.0 255.255.255.0

network-object 10.0.4.0 255.255.255.128

The static ip assigned to the vpn client is 10.0.4.150 so it falls outside of the inside-DEST-NONAT scope.  Still if I traceroute

to 9.9.9.9 when connected I get the first hop 7.7.7.1 and it stops there.

Would appreciate any help on this.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Routing traffic for a specific user through Ipsec vpn

Hi,

If you are attempting to NAT the VPN users traffic when it connects to the Internet through the ASA then the NAT configuration for that user should be

object network VPN-CLIENT-PAT

subnet 10.0.4.128 255.255.255.128

nat (outside,outside) dynamic

Insert the public Dynamic PAT IP address in to the above configuration. You can either use the parameter "interface" to use the ASAs public IP address or insert a spare public IP address that can be used. I assume that the VPN Pool uses the subnet 10.0.4.128/25.

You will also have to make sure you have the following configuration enabled

same-security-traffic permit intra-interface

You can confirm this with

show run same-security-traffic

Notice that there is another similiar setting that ends with "inter-interface" which wont work for this situation.

Hope this helps

Let me know if you get it working

- Jouni

2 REPLIES
Super Bronze

Routing traffic for a specific user through Ipsec vpn

Hi,

If you are attempting to NAT the VPN users traffic when it connects to the Internet through the ASA then the NAT configuration for that user should be

object network VPN-CLIENT-PAT

subnet 10.0.4.128 255.255.255.128

nat (outside,outside) dynamic

Insert the public Dynamic PAT IP address in to the above configuration. You can either use the parameter "interface" to use the ASAs public IP address or insert a spare public IP address that can be used. I assume that the VPN Pool uses the subnet 10.0.4.128/25.

You will also have to make sure you have the following configuration enabled

same-security-traffic permit intra-interface

You can confirm this with

show run same-security-traffic

Notice that there is another similiar setting that ends with "inter-interface" which wont work for this situation.

Hope this helps

Let me know if you get it working

- Jouni

New Member

Routing traffic for a specific user through Ipsec vpn

Worked perfectly!  Thanks

154
Views
0
Helpful
2
Replies
CreatePlease login to create content