Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
0
Helpful
2
Replies

Routing traffic for a specific user through Ipsec vpn

Go to solution
andremagri
Level 1
Level 1

‎11-14-2013 05:33 AM - edited ‎02-21-2020 07:19 PM

I would like to route traffic for a particular host on the internet (e.g 9.9.9.9) through our outside interface (e.g. 7.7.7.0/27) instead of client's internet connection.

I already added 9.9.9.9 to the split dns acl so that the route is inserted on client's workstation and a default route on the outside interface is set as follows:

CISCOASA# sh run | i route outside

route outside 0.0.0.0 0.0.0.0 7.7.7.30 1

Nat config

object network obj-InsideNetworks

nat (inside,outside) dynamic 7.7.7.3

No nat

nat (inside,any) source static obj-InsideNetworks obj-InsideNetworks destination static inside-DEST-NONAT inside-DEST-NONAT no-proxy-arp

object network obj-InsideNetworks

range 10.0.1.0 10.0.255.255

object-group network inside-DEST-NONAT

network-object 10.0.3.0 255.255.255.0

network-object 10.0.2.0 255.255.255.0

network-object 10.10.10.0 255.255.255.0

network-object 10.0.4.0 255.255.255.128

The static ip assigned to the vpn client is 10.0.4.150 so it falls outside of the inside-DEST-NONAT scope.  Still if I traceroute

to 9.9.9.9 when connected I get the first hop 7.7.7.1 and it stops there.

Would appreciate any help on this.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-14-2013 07:47 AM

Hi,

If you are attempting to NAT the VPN users traffic when it connects to the Internet through the ASA then the NAT configuration for that user should be

object network VPN-CLIENT-PAT

subnet 10.0.4.128 255.255.255.128

nat (outside,outside) dynamic

Insert the public Dynamic PAT IP address in to the above configuration. You can either use the parameter "interface" to use the ASAs public IP address or insert a spare public IP address that can be used. I assume that the VPN Pool uses the subnet 10.0.4.128/25.

You will also have to make sure you have the following configuration enabled

same-security-traffic permit intra-interface

You can confirm this with

show run same-security-traffic

Notice that there is another similiar setting that ends with "inter-interface" which wont work for this situation.

Hope this helps

Let me know if you get it working

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-14-2013 07:47 AM

Hi,

If you are attempting to NAT the VPN users traffic when it connects to the Internet through the ASA then the NAT configuration for that user should be

object network VPN-CLIENT-PAT

subnet 10.0.4.128 255.255.255.128

nat (outside,outside) dynamic

Insert the public Dynamic PAT IP address in to the above configuration. You can either use the parameter "interface" to use the ASAs public IP address or insert a spare public IP address that can be used. I assume that the VPN Pool uses the subnet 10.0.4.128/25.

You will also have to make sure you have the following configuration enabled

same-security-traffic permit intra-interface

You can confirm this with

show run same-security-traffic

Notice that there is another similiar setting that ends with "inter-interface" which wont work for this situation.

Hope this helps

Let me know if you get it working

- Jouni

0 Helpful

Go to solution
andremagri
Level 1
Level 1
In response to Jouni Forss

‎11-14-2013 08:08 AM

Worked perfectly!  Thanks

0 Helpful
Customers Also Viewed These Support Documents