Cisco VPN Routing Question

is there a way i can set up a cisco pix 501 so that any traffic bound for the internet goes out the normal connection, any connections going to 10.10.5.x goes down the VPN tunnel, but connections going to on port 3389 go through the internet instead of the vpn tunnel?  i think you can do all of this on a router but i'm not sure about a PIX.
Who is Participating?
This is called a static route.
Yes, that is possible.

The good thing about Cisco IOS is that indeed you can include PORT numbers on the commands to add static routes.

onsite_techAuthor Commented:
what would the static route look like?  i've done static routes that route outside IP addresses to inside addresses (for port forwarding essentially) but this would be outgoing...
im not positive on this but you can try
static (inside,outside) netmask 0 0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

ok, first set the default rout to go out onto the internet.

Next, you need to know the address of your gateway to the internet, let's call that g1.g2.g3.g4
And you need to know the IP address of the entry to your VPN tunnel, let's call that t1.t2.t3.t4

Your routing would look like

 IP ROUTE g1.g2.g3.g4   which is the default route
 IP ROUTE t1.t2.t3.t4
 IP ROUTE g1.g2.g3.g4

To route only port 3389, i would need my notes.  I recall a syntax that I used with the setup of a NAT like:
  IP NAT inside source static tcp 3389 g1.g2.g3.g4 3389 extendable

Try by using the syntax composer in IOS (tab key) if you can have the same syntax on IP ROUTE instead of IP NAT.

On the other hand.. would it matter to you if that traffic on port 3389 went thru a NAT translation ?
If you did it for incoming traffic, just imagine what you would type if you owned the IP address and if it were standing in the room next to you.  Maybe you have to send traffic onto the gateway address that (if seated at the computer) you would type as default gateway out.  (and use the public side of that machine)

This is as far as I get without books,

I hope it helps you.

onsite_techAuthor Commented:
ahhh, i'll look and see if that works correctly.

Also, it turns out that the other end of this tunnel is not NAT'ed at all (the 10.10.5.x address is really a public routeable address range with the remote PIX doing no NAT'ing).  i'm guessing that that wont affect anything?
As a matter of fact, it makes things a lot easier if the other side is not running NAT !

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.