Cisco ASA routing VPN traffic to the internet
We wanted to establish an IPsec site-to-site VPN between a Cisco ASA and a Sophos XG. The Sophos properly routed the traffic into the tunnel, but the Cisco didn't. It seemed like the VPN traffic was routed to the Internet, because a
tracert showed a public IP address.
The solution was very simple: We just forgot to tick the NAT Exempt checkbox in the list of the connection profiles.
As far as I understand this, this is because the VPN connection is bound to an interface, where a default NAT rule might apply. Ticking this checkbox creates NAT exemption rules, preventing the default rule to apply.
Published on 2022-06-04, 09:36 +0000