topic route inside 0.0.0.0 0.0.0.0 tunneled in Network Security

route inside 0.0.0.0 0.0.0.0 tunneled

mahesh18 — Tue, 12 Mar 2019 03:28:16 GMT

Hi Everyone,

On ASA which is running RA VPN.

Why we will use this command

route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled?

Regards

Mahesh

route inside 0.0.0.0 0.0.0.0 tunneled

Jouni Forss — Fri, 10 Jan 2014 17:22:21 GMT

Hi Mahesh,

To my understanding a "tunneled" "route" is simply meant to tell the ASA to forward all traffic inbound from a VPN connection straight to another device.

We for example use this on an ASA Failover pair that is simply meant to serve as a VPN device. This "tunneled" default route forwards all traffic from the VPN connections to an actual Firewall device (ASA too) that handles NAT/ACL and other things.

It provides an easy way to define a separate default route for the traffic incoming from VPN connections towards internal networks since the device itself needs the normal default route for the VPN connections return traffic which are formed from the external network.

- Jouni

route inside 0.0.0.0 0.0.0.0 tunneled

mahesh18 — Fri, 10 Jan 2014 17:30:41 GMT

Hi Jouni,

What if tunneled traffic goes to Switch instead of the ASA?

Regards'

MAhesh

route inside 0.0.0.0 0.0.0.0 tunneled

Jon Marshall — Fri, 10 Jan 2014 17:31:36 GMT

Mahesh

It used to set the default tunnel gateway for VPN traffic. So in effect it allows you to have two default routes on your ASA ie. if a packet arrives at the ASA the routing table is consulted. If there is no specific match then if there is a default route it will be used.

But you may want your VPN traffic to use a different default route than your non VPN traffic. If you add the "tunneled" option then that default route only applies to encrpyted traffic arriving on the ASA. This means you can have two default routes, one for VPN traffic only and one for non VPN traffic.

Jon

route inside 0.0.0.0 0.0.0.0 tunneled

Jouni Forss — Fri, 10 Jan 2014 17:35:47 GMT

Hi,

What do you mean?

The "route 0 0 tunneled" is meant to forward traffic from VPN to some other device that routes it again to the correct destination.

I imagine you mean that your route points to a L3 switch doing routing?

- Jouni

route inside 0.0.0.0 0.0.0.0 tunneled

mahesh18 — Fri, 10 Jan 2014 17:37:44 GMT

Hi Jouni,

Let me dig more

will get back to you.

Regards

MAhesh

route inside 0.0.0.0 0.0.0.0 tunneled

mahesh18 — Fri, 10 Jan 2014 18:01:15 GMT

Hi Jon & Jouni,

It has

sh run route

route outside 0.0.0.0 0.0.0.0 200.x.x.x 1

route inside 10.0.0.0 2.0.0.0 192.168.50.1 1

route inside 172.16.0.0 255.240.0.0 192.168.50.1 1

route inside 192.168.0.0 255.255.0.0 192.168.50.1 1

route inside 0.0.0.0 0.0.0.0 192.168.50.1 tunneled

I traced where route outside goes to Internet ASA---then to outside world.

route inside 192.168.50.1 -- this is Interface IP of another ASA.

If your at home connects to Company VPN then the encrypted traffic where he needs to access the company network

say subnet 172.16.0.0 will arrive encrypted and will use 192.168.50.1 which is not tunneled right?

this traffic from VPN ASA to Internal ASA will not be encrypted right?

if he need to access route which is either not 172 or 192 say then it will use tunneled to reach Internal ASA and that traffic will be encrypted right?

Regards

Mahesh

route inside 0.0.0.0 0.0.0.0 tunneled

Jouni Forss — Fri, 10 Jan 2014 18:12:20 GMT

Hi,

According to what you tell us it seems to me that this device is also a VPN ASA only? I mean that its used for VPN purposes only while there is another ASA behind it in the internal network that does the actual firewalling (NAT/ACL/etc)?

To my understanding the VPN Client/User connected to this ASA will use the Static routes for the specific networks if the user tries to connect some destination address mentioned by those routes. If it doesnt match those static routes then it will use the "tunneled" default route. But since the gateway is the same that means traffic from the VPN connections are always forwarded to the device 192.168.50.1

The traffic from the VPN ASA to the Internal ASA wont be encrypted.

The "tunneled" parameter doesnt mean that the traffic is encrypted. It just refers to the fact the "route" command used is used to forward traffic incoming from a VPN connection.

- Jouni

route inside 0.0.0.0 0.0.0.0 tunneled

Jon Marshall — Fri, 10 Jan 2014 18:13:18 GMT

Mahesh

Here you have a default route for non VPN traffic ie. general internet access and this points to next hop reachable via the outside interface. But you want to send any VPN traffic to a different destination ie. 192.168.50.1 which is another ASA.

The way i understand this is that if you connect via VPN to the ASA then once the traffic is decrypted it will use the "tunneled" route to send traffic to the internal ASA.

As far as i know all VPN traffic is decrypted on the first ASA ie. no traffic is sent on as encrypted traffic and you can check this because i suspect your internal ASA is not terminating any VPNs. But the ASA knows that the traffic arrived encrypted so once it has decrypted it it then uses the "tunneled" route to send it on to the internal ASA.

Otherwise it would try and use it's other default route and obviously in your setup all VPN traffic should go via the internal ASA.

Jon

route inside 0.0.0.0 0.0.0.0 tunneled

mahesh18 — Fri, 10 Jan 2014 20:36:39 GMT

Hi Jouni,

Yes it is VPN asa only.

You understood correctly.

Thanks for explaining me.

Seems i can not do my job without your help!

Regards

Mahesh

route inside 0.0.0.0 0.0.0.0 tunneled

mahesh18 — Fri, 10 Jan 2014 20:38:50 GMT

Many thanks Jon for explaining me in clear and precise manner.

Best Regards

MAhesh

Re: route inside 0.0.0.0 0.0.0.0 tunneled

george.prica — Thu, 28 Sep 2017 11:00:36 GMT

Hello Guys,

we have a customer who wants just to route vpn traffic from a specific subnet to another device, not all the vpn traffic. I've twisted my brain and I could not think of something good now.

Do you have any ideas?

Thank you.

George

Re: route inside 0.0.0.0 0.0.0.0 tunneled

MicJameson1 — Tue, 24 Jan 2023 16:09:45 GMT

"If you add the "tunneled" option then that default route only applies to encrypted traffic arriving on the ASA."

...arriving only externally, or also internally going external?