topic Re: Route lookup for AnyConnect traffic in Network Security

Route lookup for AnyConnect traffic

zexinfinite — Fri, 06 Mar 2020 02:08:39 GMT

Hi all,

We are using AnyConnect on Cisco ASA, but we use the gateway on core switch instead of ASA.

I'm curious to know does ASA perform RPF check even it's not the next hop for the traffic?

Because I've confirmed the traffic is pass on packet tracer, and VPN client already have secure route to gateway.

But I can not access destination before I add static route on Cisco ASA.

Does ASA perform RPF check even it's not the next hop for the traffic?

SSLVPN Client >>> Cisco ASA >>> Core switch (VPN gateway, same subnet as ASA inside interface) >>>Destination

Re: Route lookup for AnyConnect traffic

johnd2310 — Fri, 06 Mar 2020 03:03:10 GMT

Hi,

The ASA will perform RPF for all traffic passing through the interfaces specified. If the ASA does not have a route to the source that matches the interface, RPF will fail. In your case, i am guessing you are using tunneled gateway for your vpn traffic but the return traffic from the destination has no reverse route in the ASA

Thanks

John

Re: Route lookup for AnyConnect traffic

Cristian Matei — Fri, 06 Mar 2020 19:31:38 GMT

Hi,

It has nothing to do with RPF check in here. Once the packet gets decrypted by the ASA, it will have a source IP of something from the VPN POOL and a destination IP of whatever private resource the user wants to access and has access to. For the data plane to work:

- the ASA needs a route for all internal prefixes towards the core switch

- the core switch needs a route for the VPN pool range towards the ASA

Regards,

Cristian Matei.