01-10-2014 09:11 AM - edited 03-11-2019 08:28 PM
Hi Everyone,
On ASA which is running RA VPN.
Why we will use this command
route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled?
Regards
Mahesh
Solved! Go to Solution.
01-10-2014 09:22 AM
Hi Mahesh,
To my understanding a "tunneled" "route" is simply meant to tell the ASA to forward all traffic inbound from a VPN connection straight to another device.
We for example use this on an ASA Failover pair that is simply meant to serve as a VPN device. This "tunneled" default route forwards all traffic from the VPN connections to an actual Firewall device (ASA too) that handles NAT/ACL and other things.
It provides an easy way to define a separate default route for the traffic incoming from VPN connections towards internal networks since the device itself needs the normal default route for the VPN connections return traffic which are formed from the external network.
- Jouni
01-10-2014 09:31 AM
Mahesh
It used to set the default tunnel gateway for VPN traffic. So in effect it allows you to have two default routes on your ASA ie. if a packet arrives at the ASA the routing table is consulted. If there is no specific match then if there is a default route it will be used.
But you may want your VPN traffic to use a different default route than your non VPN traffic. If you add the "tunneled" option then that default route only applies to encrpyted traffic arriving on the ASA. This means you can have two default routes, one for VPN traffic only and one for non VPN traffic.
Jon
01-10-2014 09:35 AM
Hi,
What do you mean?
The "route 0 0
I imagine you mean that your route points to a L3 switch doing routing?
- Jouni
01-10-2014 10:12 AM
Hi,
According to what you tell us it seems to me that this device is also a VPN ASA only? I mean that its used for VPN purposes only while there is another ASA behind it in the internal network that does the actual firewalling (NAT/ACL/etc)?
To my understanding the VPN Client/User connected to this ASA will use the Static routes for the specific networks if the user tries to connect some destination address mentioned by those routes. If it doesnt match those static routes then it will use the "tunneled" default route. But since the gateway is the same that means traffic from the VPN connections are always forwarded to the device 192.168.50.1
The traffic from the VPN ASA to the Internal ASA wont be encrypted.
The "tunneled" parameter doesnt mean that the traffic is encrypted. It just refers to the fact the "route" command used is used to forward traffic incoming from a VPN connection.
- Jouni
01-10-2014 10:13 AM
Mahesh
Here you have a default route for non VPN traffic ie. general internet access and this points to next hop reachable via the outside interface. But you want to send any VPN traffic to a different destination ie. 192.168.50.1 which is another ASA.
The way i understand this is that if you connect via VPN to the ASA then once the traffic is decrypted it will use the "tunneled" route to send traffic to the internal ASA.
As far as i know all VPN traffic is decrypted on the first ASA ie. no traffic is sent on as encrypted traffic and you can check this because i suspect your internal ASA is not terminating any VPNs. But the ASA knows that the traffic arrived encrypted so once it has decrypted it it then uses the "tunneled" route to send it on to the internal ASA.
Otherwise it would try and use it's other default route and obviously in your setup all VPN traffic should go via the internal ASA.
Jon
01-10-2014 09:22 AM
Hi Mahesh,
To my understanding a "tunneled" "route" is simply meant to tell the ASA to forward all traffic inbound from a VPN connection straight to another device.
We for example use this on an ASA Failover pair that is simply meant to serve as a VPN device. This "tunneled" default route forwards all traffic from the VPN connections to an actual Firewall device (ASA too) that handles NAT/ACL and other things.
It provides an easy way to define a separate default route for the traffic incoming from VPN connections towards internal networks since the device itself needs the normal default route for the VPN connections return traffic which are formed from the external network.
- Jouni
01-10-2014 09:30 AM
Hi Jouni,
What if tunneled traffic goes to Switch instead of the ASA?
Regards'
MAhesh
01-10-2014 09:35 AM
Hi,
What do you mean?
The "route 0 0
I imagine you mean that your route points to a L3 switch doing routing?
- Jouni
01-10-2014 09:37 AM
Hi Jouni,
Let me dig more
will get back to you.
Regards
MAhesh
09-28-2017 04:00 AM
Hello Guys,
we have a customer who wants just to route vpn traffic from a specific subnet to another device, not all the vpn traffic. I've twisted my brain and I could not think of something good now.
Do you have any ideas?
Thank you.
George
01-10-2014 09:31 AM
Mahesh
It used to set the default tunnel gateway for VPN traffic. So in effect it allows you to have two default routes on your ASA ie. if a packet arrives at the ASA the routing table is consulted. If there is no specific match then if there is a default route it will be used.
But you may want your VPN traffic to use a different default route than your non VPN traffic. If you add the "tunneled" option then that default route only applies to encrpyted traffic arriving on the ASA. This means you can have two default routes, one for VPN traffic only and one for non VPN traffic.
Jon
01-10-2014 10:01 AM
Hi Jon & Jouni,
It has
sh run route
route outside 0.0.0.0 0.0.0.0 200.x.x.x 1
route inside 10.0.0.0 2.0.0.0 192.168.50.1 1
route inside 172.16.0.0 255.240.0.0 192.168.50.1 1
route inside 192.168.0.0 255.255.0.0 192.168.50.1 1
route inside 0.0.0.0 0.0.0.0 192.168.50.1 tunneled
I traced where route outside goes to Internet ASA---then to outside world.
route inside 192.168.50.1 -- this is Interface IP of another ASA.
If your at home connects to Company VPN then the encrypted traffic where he needs to access the company network
say subnet 172.16.0.0 will arrive encrypted and will use 192.168.50.1 which is not tunneled right?
this traffic from VPN ASA to Internal ASA will not be encrypted right?
if he need to access route which is either not 172 or 192 say then it will use tunneled to reach Internal ASA and that traffic will be encrypted right?
Regards
Mahesh
01-10-2014 10:12 AM
Hi,
According to what you tell us it seems to me that this device is also a VPN ASA only? I mean that its used for VPN purposes only while there is another ASA behind it in the internal network that does the actual firewalling (NAT/ACL/etc)?
To my understanding the VPN Client/User connected to this ASA will use the Static routes for the specific networks if the user tries to connect some destination address mentioned by those routes. If it doesnt match those static routes then it will use the "tunneled" default route. But since the gateway is the same that means traffic from the VPN connections are always forwarded to the device 192.168.50.1
The traffic from the VPN ASA to the Internal ASA wont be encrypted.
The "tunneled" parameter doesnt mean that the traffic is encrypted. It just refers to the fact the "route" command used is used to forward traffic incoming from a VPN connection.
- Jouni
01-10-2014 12:36 PM
Hi Jouni,
Yes it is VPN asa only.
You understood correctly.
Thanks for explaining me.
Seems i can not do my job without your help!
Regards
Mahesh
01-10-2014 10:13 AM
Mahesh
Here you have a default route for non VPN traffic ie. general internet access and this points to next hop reachable via the outside interface. But you want to send any VPN traffic to a different destination ie. 192.168.50.1 which is another ASA.
The way i understand this is that if you connect via VPN to the ASA then once the traffic is decrypted it will use the "tunneled" route to send traffic to the internal ASA.
As far as i know all VPN traffic is decrypted on the first ASA ie. no traffic is sent on as encrypted traffic and you can check this because i suspect your internal ASA is not terminating any VPNs. But the ASA knows that the traffic arrived encrypted so once it has decrypted it it then uses the "tunneled" route to send it on to the internal ASA.
Otherwise it would try and use it's other default route and obviously in your setup all VPN traffic should go via the internal ASA.
Jon
01-10-2014 12:38 PM
Many thanks Jon for explaining me in clear and precise manner.
Best Regards
MAhesh
01-24-2023 08:09 AM
"If you add the "tunneled" option then that default route only applies to encrypted traffic arriving on the ASA."
...arriving only externally, or also internally going external?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide