Solved: Default route for internet access breaks VPN

twernet@vernox.com · ‎09-05-2023

Hello All,

I have a cisco ASA 5525. I have two site to site VPN tunnels and AnyConnect VPN clients connecting and working fine. However when I tried to add a default route out "route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX" (Gateway past my ASA) it breaks my VPN connection. I am sure I am missing something stupid. I don't get the chance to configure the NAT rule before the VPN's crash. My scrubbed config is below. Any help would be greatly appreciated.

: Saved

:
: Serial Number: xxxxxxxxx
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
: Written by xxxxxxxx at 13:27:01.942 UTC Tue Sep 5 2023
!
ASA Version 9.8(2)
!
hostname ciscoasa
enable password X.X.X
names
ip local pool XXXX_Prod 10.10.xx.xx-10.10.xx.xx mask 255.255.255.0
ip local pool XXXX_Admin 10.100.xx.xx-10.100.xx.xx mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif XXXX_Prod
security-level 100
ip address 10.10.xx.xx 255.255.255.0
!
interface GigabitEthernet0/2
nameif XXXX_MGMT
security-level 100
ip address 10.100.xx.xx 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.2 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.100.xx.248_29
subnet 10.100.xx.248 255.255.255.248
object network NETWORK_OBJ_10.10.xx.64_26
subnet 10.10.xx.64 255.255.255.192
object network NETWORK_OBJ_192.168.207.0_24
subnet 192.168.207.0 255.255.255.0
object network NETWORK_OBJ_10.10.xx.0_24
subnet 10.10.xx.0 255.255.255.0
object network NETWORK_OBJ_10.10.20.0_24
subnet 10.10.20.0 255.255.255.0
access-list Split-Tunneling standard permit 10.10.xx.0 255.255.255.0
access-list AdminSplitTunnel standard permit 10.100.xx.0 255.255.255.0
access-list Outside_cryptomap_1 extended permit ip 10.10.xx.0 255.255.255.0 192.168.xxx.0 255.255.255.0
access-list Outside_cryptomap_2 extended permit ip 10.10.xx.0 255.255.255.0 10.101.xx.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu XXXX_Prod 1500
mtu XXXX_MGMT 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (XXXX_MGMT,Outside) source static any any destination static NETWORK_OBJ_10.100.xx.248_29 NETWORK_OBJ_10.100.xx.248_29 no-proxy-arp route-lookup
nat (XXXX_Prod,Outside) source static any any destination static NETWORK_OBJ_10.10.xx.64_26 NETWORK_OBJ_10.10.xx.64_26 no-proxy-arp route-lookup
nat (XXXX_MGMT,Outside) source static any any destination static NETWORK_OBJ_10.10.xx.64_26 NETWORK_OBJ_10.10.xx.64_26 no-proxy-arp route-lookup
nat (XXXX_MGMT,Outside) source static NETWORK_OBJ_10.10.xx.0_24 NETWORK_OBJ_10.10.xx.0_24 destination static NETWORK_OBJ_192.168.xxx.0_24 NETWORK_OBJ_192.168.xxx.0_24 no-proxy-arp route-lookup
nat (XXXX_MGMT,Outside) source static NETWORK_OBJ_10.10.xx.0_24 NETWORK_OBJ_10.10.xx.0_24 destination static NETWORK_OBJ_10.101.xx.0_24 NETWORK_OBJ_10.10.20.0_24 no-proxy-arp route-lookup
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.100.xx.0 255.255.255.0 XXXX_MGMT
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set Cradlepoint2 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set Cradlepoint esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map Outside_map1 1 match address Outside_cryptomap_1
crypto map Outside_map1 1 set pfs group5
crypto map Outside_map1 1 set peer xxx.xxx.xxx.xxx
crypto map Outside_map1 1 set ikev1 transform-set Cradlepoint2
crypto map Outside_map1 2 match address Outside_cryptomap_2
crypto map Outside_map1 2 set pfs group5
crypto map Outside_map1 2 set peer xxx.xxx.xxx.xxx
crypto map Outside_map1 2 set ikev1 transform-set Cradlepoint
crypto map Outside_map1 interface Outside
crypto ca trustpool policy
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh 10.100.xx.0 255.255.255.0 XXXX_MGMT
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access XXXX_MGMT
dhcp-client client-id interface Outside
dhcpd address 192.168.1.3-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-4.10.02086-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_XXXX_Admin internal
group-policy GroupPolicy_XXXX_Admin attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AdminSplitTunnel
default-domain none
group-policy GroupPolicy_XXXX_Prod internal
group-policy GroupPolicy_XXXX_Prod attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunneling
default-domain none
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
password-policy minimum-length 14
password-policy minimum-changes 1
password-policy minimum-lowercase 1
password-policy minimum-uppercase 1
password-policy minimum-numeric 1
password-policy minimum-special 1
password-policy username-check
password-policy reuse-interval 2
username test1 password X.X.X
tunnel-group XXXX_Prod type remote-access
tunnel-group XXXX_Prod general-attributes
address-pool XXXX_Prod
default-group-policy GroupPolicy_XXXX_Prod
tunnel-group XXXX_Prod webvpn-attributes
group-alias XXXX_Prod enable
tunnel-group XXXX_Admin type remote-access
tunnel-group XXXX_Admin general-attributes
address-pool XXXX_Admin
default-group-policy GroupPolicy_XXXX_Admin
tunnel-group XXXX_Admin webvpn-attributes
group-alias XXXX_Admin enable
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
default-group-policy GroupPolicy2
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
ikev1 pre-shared-key XXXXXXXXXXXXX
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
default-group-policy GroupPolicy1
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
ikev1 pre-shared-key XXXXXXXXXXXXXX
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5b1ff2ba30066af9cd7b2645f4bb1dcb
: end

Rob Ingram · ‎09-06-2023

twernet@vernox.com hard to tell from your configuration what network is what.

You'd need a NAT exemption rule similar to below (just reference network objects that reflect your LAN (inside) network and the VPN ip pool.

nat (XXXX_Prod,Outside) source static PROD-LAN PROD-LAN destination static PROD-IP-POOL PROD-IP-POOL

FYI, You should ensure you VPN IP pool is not within the same network as the LAN network.

View solution in original post

Rob Ingram · ‎09-05-2023

twernet@vernox.com you don't need to explicitly configure a default route via the outside interface because you've got "ip address dhcp setroute" configured on the outside interface, therefore the default route will dynamically be learnt.

If the VPNs are already working, then surely routing is working? So why do you need to change the default route?

twernet@vernox.com · ‎09-05-2023

Hey Rob,

Thanks for the quick response. I did not think it would learn the next hope past the outside interface with out the gateway IP. If this is the case I am assuming a NAT rule from inside to outside traffic will be all I need?

Rob Ingram · ‎09-06-2023

twernet@vernox.com hard to tell from your configuration what network is what.

You'd need a NAT exemption rule similar to below (just reference network objects that reflect your LAN (inside) network and the VPN ip pool.

nat (XXXX_Prod,Outside) source static PROD-LAN PROD-LAN destination static PROD-IP-POOL PROD-IP-POOL

FYI, You should ensure you VPN IP pool is not within the same network as the LAN network.

twernet@vernox.com · ‎09-07-2023

Thank you Rob, everything is working as expected.