Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Vpn IPsec Fallback to internet

Hi all,

I created an Ipsec tunnel with Nat-Transversal between our Lan and a remote server (called here remote_vpn) to access Internet .

The Pcs behind the dmz interface use Dhcp (in the network range called dmz-network here) and go to Internet by using the Ipsec tunnel.

The tunnel is working most of time but when the tunnel goes down (due to remote server issue), Pcs don't have Internet access at all although they can use direct Internet access (without going through the ipsec tunnel) . Here is the nat rules i use to allow pc in the dmz_network range to go through the tunnel


Section 1

ciscoasa1# sh run nat

nat (dmz,outside) source dynamic dmz-network remote_vpn interface destination static remote_vpn remote_vpn



To allow access when ipsec is down i add manually the rule below.

But when i add this nat rule below (in section 3) after the nat used for vpn above (section 1)

all the traffic goes directly to internet and doesn't go through IPsec tunnel when he is up again .


Section 3 Pat rule:

nat (dmz,outside) after-auto source dynamic dmz-network interface


I would like that the Pc go to internet directly when the tunnel is down and then use the tunnel to go to internet when the tunnel is up again.

Thanks in advance


Everyone's tags (4)
CreatePlease to create content