We have an ASA5510 v9.1.(7)32 at branch with configured IKEv2 site-to-site VPN to Head office.
All traffic goes through VPN.
ISP give an ip-address by DHCP with 4 gateways (yes, multiple), that randomly changes. Some of them reachable via ICMP, some no.
Via security reasons we have to block all outgoing traffic when VPN goes down. At routers there was VTI, so config be like: ip route 0.0.0.0 0.0.0.0 Tunnel0, but in this version of ASA we have no VTI, EEM.
I tried to block outgoing traffic by acl outside-out, but it also block traffic through VPN.
Here is parts of config:
interface Ethernet0/0 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet0/1 no nameif no security-level no ip address ! interface Ethernet0/1.9 vlan 9 nameif inside security-level 100 ip address 192.168.3.1 255.255.255.0 ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface ! object-group network obj-nat-inside network-object 10.1.1.0 255.255.255.0 network-object 10.1.2.0 255.255.255.0 network-object 192.168.3.0 255.255.255.0 ! access-list outside_cryptomap_1 extended permit ip object-group obj-nat-inside any4 ! logging host inside 192.168.2.2 ! icmp permit host 192.168.2.2 inside ! route inside 10.1.1.0 255.255.255.0 192.168.3.2 1 route inside 10.1.2.0 255.255.255.0 192.168.3.2 1 ! http 192.168.2.0 255.255.255.0 inside snmp-server host inside 192.168.2.2 community 8 encr version 2c snmp-server community 8 encr !
crypto map outside_map 1 match address outside_cryptomap_1 crypto map outside_map 1 set peer 220.127.116.11 crypto map outside_map interface outside ! ssh 192.168.2.0 255.255.255.0 inside ! management-access inside ! ntp server 192.168.2.2 source inside ! group-policy GroupPolicy_18.104.22.168 internal group-policy GroupPolicy_22.214.171.124 attributes vpn-tunnel-protocol ikev2 default-domain value corp.domain tunnel-group 126.96.36.199 type ipsec-l2l tunnel-group 188.8.131.52 general-attributes default-group-policy GroupPolicy_184.108.40.206 tunnel-group 220.127.116.11 ipsec-attributes ikev2 remote-authentication pre-shared-key 8 encr ikev2 local-authentication pre-shared-key 8 encr
I can't add static route with track, cause multiple gateways from ISP.
Can't add static route to via VPN GW (18.104.22.168), cause in that case there is no icmp, snmp, logging, ntp to ASA (SSH, ASDM works):
route outside 10.0.0.0 255.0.0.0 22.214.171.124 1 track 1 route outside 172.16.0.0 255.240.0.0 126.96.36.199 1 track 1 route outside 192.168.0.0 255.255.0.0 188.8.131.52 1 track 1 route inside 10.0.0.0 255.0.0.0 192.168.3.0 50 !fake routes to blocking route inside 172.16.0.0 255.240.0.0 192.168.3.0 50 route inside 192.168.0.0 255.255.0.0 192.168.3.0 50 ! sla monitor 1 type echo protocol ipIcmpEcho 184.108.40.206 interface outside num-packets 2 timeout 2000 threshold 2000 frequency 5 sla monitor schedule 1 life forever start-time now ! track 1 rtr 1 reachability
Also I tried to add dhcp client route track 1 in e0/0, but in that case VPN goes down, cause have no route to peer.
# sh ip address outside dhcp lease Temp default-gateway addr: 220.127.116.11 ... # sh ip address outside dhcp lease Temp default-gateway addr: 18.104.22.168 ... # sh ip address outside dhcp lease Temp default-gateway addr: 22.214.171.124
So... how to block outgoing traffic if VPN goes down with multiple gateways via DHCP?
From the looks of it you have NAT configured. Remove NAT and you will prevent users from reaching the internet when VPN is down.
NAT is for selective public hosts only.
Task is preventing all traffic, not only internet - SNMP traps from inside, non-secured connections, and others.
Without VPN ISP can capture outgoing requests. Removing NAT will not protect from this.
As long as the IP between the ASA and ISP is a public IP traffic will not be routed out to the internet as private IPs are not routable on the internet.
Do you need a default route on your ASA for any other routing? if not you could set static routes for the remote VPN gateway and then use reverse route injection for the VPNs. This will take the crypto ACL you use for the VPN and dynamically add a route in the routing table. So if the VPN is removed the route is also removed.
under the crypto map use the set reverse-route command
If this is not an option you could upgrade to 9.7+ where you will receive the VTI and can use that interface in your routing commands.