Cisco VPN Routing Question

Posted on 2005-05-10
Last Modified: 2013-11-16
is there a way i can set up a cisco pix 501 so that any traffic bound for the internet goes out the normal connection, any connections going to 10.10.5.x goes down the VPN tunnel, but connections going to on port 3389 go through the internet instead of the vpn tunnel?  i think you can do all of this on a router but i'm not sure about a PIX.
Question by:onsite_tech
    LVL 1

    Accepted Solution

    This is called a static route.
    Yes, that is possible.

    The good thing about Cisco IOS is that indeed you can include PORT numbers on the commands to add static routes.

    LVL 1

    Author Comment

    what would the static route look like?  i've done static routes that route outside IP addresses to inside addresses (for port forwarding essentially) but this would be outgoing...
    LVL 2

    Assisted Solution

    im not positive on this but you can try
    static (inside,outside) netmask 0 0
    LVL 1

    Expert Comment

    ok, first set the default rout to go out onto the internet.

    Next, you need to know the address of your gateway to the internet, let's call that g1.g2.g3.g4
    And you need to know the IP address of the entry to your VPN tunnel, let's call that t1.t2.t3.t4

    Your routing would look like

     IP ROUTE g1.g2.g3.g4   which is the default route
     IP ROUTE t1.t2.t3.t4
     IP ROUTE g1.g2.g3.g4

    To route only port 3389, i would need my notes.  I recall a syntax that I used with the setup of a NAT like:
      IP NAT inside source static tcp 3389 g1.g2.g3.g4 3389 extendable

    Try by using the syntax composer in IOS (tab key) if you can have the same syntax on IP ROUTE instead of IP NAT.

    On the other hand.. would it matter to you if that traffic on port 3389 went thru a NAT translation ?
    If you did it for incoming traffic, just imagine what you would type if you owned the IP address and if it were standing in the room next to you.  Maybe you have to send traffic onto the gateway address that (if seated at the computer) you would type as default gateway out.  (and use the public side of that machine)

    This is as far as I get without books,

    I hope it helps you.

    LVL 1

    Author Comment

    ahhh, i'll look and see if that works correctly.

    Also, it turns out that the other end of this tunnel is not NAT'ed at all (the 10.10.5.x address is really a public routeable address range with the remote PIX doing no NAT'ing).  i'm guessing that that wont affect anything?
    LVL 1

    Expert Comment

    As a matter of fact, it makes things a lot easier if the other side is not running NAT !


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Suggested Solutions

    What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
    PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now