Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1860
Views
0
Helpful
4
Replies

How to block outgoing traffic when VPN goes down?

Go to solution
Whoops
Level 1
Level 1

‎04-20-2021 03:26 AM - edited ‎04-20-2021 04:11 AM

Hello
We have an ASA5510 v9.1.(7)32 at branch with configured IKEv2 site-to-site VPN to Head office.

All traffic goes through VPN.

ISP give an ip-address by DHCP with 4 gateways (yes, multiple), that randomly changes. Some of them reachable via ICMP, some no.

Via security reasons we have to block all outgoing traffic when VPN goes down. At routers there was VTI, so config be like: ip route 0.0.0.0 0.0.0.0 Tunnel0, but in this version of ASA we have no VTI, EEM.
I tried to block outgoing traffic by acl outside-out, but it also block traffic through VPN.

 

Here is parts of config:

 

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.9
 vlan 9
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object-group network obj-nat-inside
 network-object 10.1.1.0 255.255.255.0
 network-object 10.1.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
!
access-list outside_cryptomap_1 extended permit ip object-group obj-nat-inside any4 
!
logging host inside 192.168.2.2
!
icmp permit host 192.168.2.2 inside
!
route inside 10.1.1.0 255.255.255.0 192.168.3.2 1
route inside 10.1.2.0 255.255.255.0 192.168.3.2 1
!
http 192.168.2.0 255.255.255.0 inside
snmp-server host inside 192.168.2.2 community 8 encr version 2c
snmp-server community 8 encr
!
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 2.2.2.2
crypto map outside_map interface outside
!
ssh 192.168.2.0 255.255.255.0 inside
!
management-access inside
!
ntp server 192.168.2.2 source inside
!
group-policy GroupPolicy_2.2.2.2 internal
group-policy GroupPolicy_2.2.2.2 attributes
 vpn-tunnel-protocol ikev2 
 default-domain value corp.domain
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
 default-group-policy GroupPolicy_2.2.2.2
tunnel-group 2.2.2.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key 8 encr
 ikev2 local-authentication pre-shared-key 8  encr

I can't add static route with track, cause multiple gateways from ISP.

Can't add static route to via VPN GW (2.2.2.2), cause in that case there is no icmp, snmp, logging, ntp to ASA (SSH, ASDM works):

 

route outside 10.0.0.0 255.0.0.0 2.2.2.2 1 track 1
route outside 172.16.0.0 255.240.0.0 2.2.2.2 1 track 1
route outside 192.168.0.0 255.255.0.0 2.2.2.2 1 track 1
route inside 10.0.0.0 255.0.0.0 192.168.3.0 50 !fake routes to blocking
route inside 172.16.0.0 255.240.0.0 192.168.3.0 50 
route inside 192.168.0.0 255.255.0.0 192.168.3.0 50 
!
sla monitor 1
 type echo protocol ipIcmpEcho 2.2.2.2 interface outside
 num-packets 2
 timeout 2000
 threshold 2000
 frequency 5
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability

 

Also I tried to add dhcp client route track 1 in e0/0, but in that case VPN goes down, cause have no route to peer.

 

 

 

# sh ip address outside dhcp lease
Temp default-gateway addr: 1.1.1.251
...
# sh ip address outside dhcp lease
Temp default-gateway addr: 1.1.1.254
...
# sh ip address outside dhcp lease
Temp default-gateway addr: 1.1.1.252

 

 

So... how to block outgoing traffic if VPN goes down with multiple gateways via DHCP?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Whoops
Level 1
Level 1

‎09-03-2021 06:42 AM

There is only 2 solutions:

1. Ask ISP for using only one BRAS for that branch.

2. Connect link to ISP via switch/etc with applied acl, blocking gray-nets traffic.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marius Gunnerud
VIP
VIP

‎04-20-2021 04:47 AM

From the looks of it you have NAT configured.  Remove NAT and you will prevent users from reaching the internet when VPN is down.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Whoops
Level 1
Level 1
In response to Marius Gunnerud

‎04-20-2021 04:52 AM

NAT is for selective public hosts only.

Task is preventing all traffic, not only internet - SNMP traps from inside, non-secured connections, and others.

 

Without VPN ISP can capture outgoing requests. Removing NAT will not protect from this.

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Whoops

‎04-20-2021 05:28 AM

As long as the IP between the ASA and ISP is a public IP traffic will not be routed out to the internet as private IPs are not routable on the internet.

Do you need a default route on your ASA for any other routing?  if not you could set static routes for the remote VPN gateway and then use reverse route injection for the VPNs.  This will take the crypto ACL you use for the VPN and dynamically add a route in the routing table.  So if the VPN is removed the route is also removed.

under the crypto map use the set reverse-route command

 

If this is not an option you could upgrade to 9.7+ where you will receive the VTI and can use that interface in your routing commands.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Whoops
Level 1
Level 1

‎09-03-2021 06:42 AM

There is only 2 solutions:

1. Ask ISP for using only one BRAS for that branch.

2. Connect link to ISP via switch/etc with applied acl, blocking gray-nets traffic.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card