• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 283
  • Last Modified:

Cisco VPN Routing Question

is there a way i can set up a cisco pix 501 so that any traffic bound for the internet goes out the normal connection, any connections going to 10.10.5.x goes down the VPN tunnel, but connections going to 10.10.5.2 on port 3389 go through the internet instead of the vpn tunnel?  i think you can do all of this on a router but i'm not sure about a PIX.
0
onsite_tech
Asked:
onsite_tech
  • 3
  • 2
2 Solutions
 
internocCommented:
This is called a static route.
Yes, that is possible.

The good thing about Cisco IOS is that indeed you can include PORT numbers on the commands to add static routes.

Marc
0
 
onsite_techAuthor Commented:
what would the static route look like?  i've done static routes that route outside IP addresses to inside addresses (for port forwarding essentially) but this would be outgoing...
0
 
msaracenoCommented:
im not positive on this but you can try
static (inside,outside) 10.10.5.2:3389 10.10.5.2:3389 netmask 255.255.255.255 0 0
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
internocCommented:
ok, first set the default rout to go out onto the internet.

Next, you need to know the address of your gateway to the internet, let's call that g1.g2.g3.g4
And you need to know the IP address of the entry to your VPN tunnel, let's call that t1.t2.t3.t4


Your routing would look like

 IP ROUTE 0.0.0.0 g1.g2.g3.g4   which is the default route
 IP ROUTE 10.10.5.0 t1.t2.t3.t4
 IP ROUTE 10.10.5.2 g1.g2.g3.g4

To route only port 3389, i would need my notes.  I recall a syntax that I used with the setup of a NAT like:
  IP NAT inside source static tcp 10.10.5.2 3389 g1.g2.g3.g4 3389 extendable

Try by using the syntax composer in IOS (tab key) if you can have the same syntax on IP ROUTE instead of IP NAT.

On the other hand.. would it matter to you if that traffic on port 3389 went thru a NAT translation ?
If you did it for incoming traffic, just imagine what you would type if you owned the IP address 10.10.5.2 and if it were standing in the room next to you.  Maybe you have to send traffic onto the gateway address that (if seated at the 10.10.5.2 computer) you would type as default gateway out.  (and use the public side of that machine)

This is as far as I get without books,

I hope it helps you.

Marc
0
 
onsite_techAuthor Commented:
ahhh, i'll look and see if that works correctly.

Also, it turns out that the other end of this tunnel is not NAT'ed at all (the 10.10.5.x address is really a public routeable address range with the remote PIX doing no NAT'ing).  i'm guessing that that wont affect anything?
0
 
internocCommented:
As a matter of fact, it makes things a lot easier if the other side is not running NAT !

Marc
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now