macrospect
[H]ard|Gawd
- Joined
- Nov 22, 2004
- Messages
- 1,711
Hi all! Its been a long time since I have posted on these forums but I am banging my head against the desk with this one. I was hoping one of you CCNA folks would read this. I have a Cisco ASA with the newest IOS on it and a VPN which is NAT'ed to one of my remote sites. For argument sake lets say that the remote site is public and is hosted on the entire 80.x.x.x range. The terminating endpoint for my VPN on the remote end is 80.0.0.1.
Now, my interesting IP traffic for the VPN cryptomap is defined as 80.0.0.0/8 BUT here is where I am stuck. I do NOT want to classify the entire 80.x.x.x range as interesting traffic but instead would like some of the networks in the 80.x.x.x range to go out my typical WAN interface (ie. do not send this network over the VPN). Say that I want just 80.1.x.x to go out my WAN interface.
So, aside from adding 254 rules into my ASA to define interesting traffic as 80.1.x.x/16, 80.2.x.x/16 and so on, how the heck would this be possible or would it even be possible to do without adding each separate subnet?!
As I said, this is a unique problem for which I lack any answer and my google-fu has failed on this one. I was thinking if i added a static route, if this would override the crypto map but no idea if this would work. Any answers would be much appreciated!
Now, my interesting IP traffic for the VPN cryptomap is defined as 80.0.0.0/8 BUT here is where I am stuck. I do NOT want to classify the entire 80.x.x.x range as interesting traffic but instead would like some of the networks in the 80.x.x.x range to go out my typical WAN interface (ie. do not send this network over the VPN). Say that I want just 80.1.x.x to go out my WAN interface.
So, aside from adding 254 rules into my ASA to define interesting traffic as 80.1.x.x/16, 80.2.x.x/16 and so on, how the heck would this be possible or would it even be possible to do without adding each separate subnet?!
As I said, this is a unique problem for which I lack any answer and my google-fu has failed on this one. I was thinking if i added a static route, if this would override the crypto map but no idea if this would work. Any answers would be much appreciated!