cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

242
Views
0
Helpful
3
Replies
Whoops
Beginner

How to block outgoing traffic when VPN goes down?

Hello
We have an ASA5510 v9.1.(7)32 at branch with configured IKEv2 site-to-site VPN to Head office.

All traffic goes through VPN.

ISP give an ip-address by DHCP with 4 gateways (yes, multiple), that randomly changes. Some of them reachable via ICMP, some no.

Via security reasons we have to block all outgoing traffic when VPN goes down. At routers there was VTI, so config be like: ip route 0.0.0.0 0.0.0.0 Tunnel0, but in this version of ASA we have no VTI, EEM.
I tried to block outgoing traffic by acl outside-out, but it also block traffic through VPN.

 

Here is parts of config:

 

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.9
 vlan 9
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object-group network obj-nat-inside
 network-object 10.1.1.0 255.255.255.0
 network-object 10.1.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
!
access-list outside_cryptomap_1 extended permit ip object-group obj-nat-inside any4 
!
logging host inside 192.168.2.2
!
icmp permit host 192.168.2.2 inside
!
route inside 10.1.1.0 255.255.255.0 192.168.3.2 1
route inside 10.1.2.0 255.255.255.0 192.168.3.2 1
!
http 192.168.2.0 255.255.255.0 inside
snmp-server host inside 192.168.2.2 community 8 encr version 2c
snmp-server community 8 encr
!
crypto map outside_map 1 match address outside_cryptomap_1 crypto map outside_map 1 set peer 2.2.2.2 crypto map outside_map interface outside ! ssh 192.168.2.0 255.255.255.0 inside ! management-access inside ! ntp server 192.168.2.2 source inside ! group-policy GroupPolicy_2.2.2.2 internal group-policy GroupPolicy_2.2.2.2 attributes vpn-tunnel-protocol ikev2 default-domain value corp.domain tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 general-attributes default-group-policy GroupPolicy_2.2.2.2 tunnel-group 2.2.2.2 ipsec-attributes ikev2 remote-authentication pre-shared-key 8 encr ikev2 local-authentication pre-shared-key 8 encr

I can't add static route with track, cause multiple gateways from ISP.

Can't add static route to via VPN GW (2.2.2.2), cause in that case there is no icmp, snmp, logging, ntp to ASA (SSH, ASDM works):

 

route outside 10.0.0.0 255.0.0.0 2.2.2.2 1 track 1
route outside 172.16.0.0 255.240.0.0 2.2.2.2 1 track 1
route outside 192.168.0.0 255.255.0.0 2.2.2.2 1 track 1
route inside 10.0.0.0 255.0.0.0 192.168.3.0 50 !fake routes to blocking
route inside 172.16.0.0 255.240.0.0 192.168.3.0 50 
route inside 192.168.0.0 255.255.0.0 192.168.3.0 50 
!
sla monitor 1
 type echo protocol ipIcmpEcho 2.2.2.2 interface outside
 num-packets 2
 timeout 2000
 threshold 2000
 frequency 5
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability

 

Also I tried to add dhcp client route track 1 in e0/0, but in that case VPN goes down, cause have no route to peer.

 

 

 

# sh ip address outside dhcp lease
Temp default-gateway addr: 1.1.1.251
...
# sh ip address outside dhcp lease
Temp default-gateway addr: 1.1.1.254
...
# sh ip address outside dhcp lease
Temp default-gateway addr: 1.1.1.252

 

 

So... how to block outgoing traffic if VPN goes down with multiple gateways via DHCP?

 

 

3 REPLIES 3
Marius Gunnerud
VIP Advisor

From the looks of it you have NAT configured.  Remove NAT and you will prevent users from reaching the internet when VPN is down.

--
Please remember to select a correct answer and rate helpful posts

NAT is for selective public hosts only.

Task is preventing all traffic, not only internet - SNMP traps from inside, non-secured connections, and others.

 

Without VPN ISP can capture outgoing requests. Removing NAT will not protect from this.

 

As long as the IP between the ASA and ISP is a public IP traffic will not be routed out to the internet as private IPs are not routable on the internet.

Do you need a default route on your ASA for any other routing?  if not you could set static routes for the remote VPN gateway and then use reverse route injection for the VPNs.  This will take the crypto ACL you use for the VPN and dynamically add a route in the routing table.  So if the VPN is removed the route is also removed.

under the crypto map use the set reverse-route command

 

If this is not an option you could upgrade to 9.7+ where you will receive the VTI and can use that interface in your routing commands.

--
Please remember to select a correct answer and rate helpful posts
Content for Community-Ad