Cisco Support Community
Community Member

cisco asa redirect traffic on public IP to host behind vpn

I have a VPN connection on my cisco asa 5510 device.

Trying to do following:

1) redirect all traffic coming from VPN tunnel on encryption domain(202.x.x.1) of VPN connection to a internet host (like

VPN tunnel ==> encryption domain (202.x.x.1) ==>

2) redirect traffic coming on second public IP (202.x.x.2) from internet, to a host behind VPN (private IP 10.x.x.1)

Internet ==> my public IP (202.x.x.2) ==> VPN tunnel ==> host behind vpn 10.x.x.1)

Is this possible to achieve, if yes kindly share how.

Thanks in advance.

Everyone's tags (5)
Community Member

Hi Mohit, As per your

Hi Mohit,


As per your statements it seems you have two interfaces connected with internet.

1. To allow traffic from vpn connection (via 202.x.x.1) to you need to add static route for through 202.x.x.2.You can also achieve the same if you enable split tunneling for vpn connections on ASA 5510. Then traffic for internet will not come to ASA 5510 however it will be sent through remote user's internet connection.


2. For 2nd scenario you can achieve it by adding access-list on second internet interface to allow traffic from second internet connection to vpn-connection pool.


Community Member

HiNo, I don't have 2


No, I don't have 2 interfaces connected to internet. 

It's only 1 interface (outside) connected to internet, with 1 static public IP + public address pool x.x.x.x/28

And i cannot use split tunnelling because host behind VPN doesn't have internet (blocked by partner). So only way to reach is via my firewall.

I hope the scenario is clear.

Community Member

Where have you configured two

Where have you configured two public IPs 202.x.x.1 and 202.x.x.2?

Can you share diagram?

Community Member

Also please check if "same

Also please check if "same-security-traffic permit intra-interface"  is enabled on your firewall.

Community Member

HiI've attached a simple


I've attached a simple diagram [excuse my drawing skills :) ]

so the goal is to establish tunnel with peer IPs 165.x.x.146 <==> 212.x.x.123

Encryption domain IP (or source IP) on cisco asa side will be 203.x.x.143.

10.x.x.70 will send traffic to 203.x.x.134 which should be forwarded to 54.x.x.168 on internet.


Please note 10.x.x.70 does not have internet connectivity, it can send traffic only to 203.x.x.143 via ipsec tunnel. 



CreatePlease to create content