03-05-2020 06:08 PM
Hi all,
We are using AnyConnect on Cisco ASA, but we use the gateway on core switch instead of ASA.
I'm curious to know does ASA perform RPF check even it's not the next hop for the traffic?
Because I've confirmed the traffic is pass on packet tracer, and VPN client already have secure route to gateway.
But I can not access destination before I add static route on Cisco ASA.
Does ASA perform RPF check even it's not the next hop for the traffic?
SSLVPN Client >>> Cisco ASA >>> Core switch (VPN gateway, same subnet as ASA inside interface) >>>Destination
03-05-2020 07:02 PM - edited 03-05-2020 07:03 PM
Hi,
The ASA will perform RPF for all traffic passing through the interfaces specified. If the ASA does not have a route to the source that matches the interface, RPF will fail. In your case, i am guessing you are using tunneled gateway for your vpn traffic but the return traffic from the destination has no reverse route in the ASA
Thanks
John
03-06-2020 11:31 AM
Hi,
It has nothing to do with RPF check in here. Once the packet gets decrypted by the ASA, it will have a source IP of something from the VPN POOL and a destination IP of whatever private resource the user wants to access and has access to. For the data plane to work:
- the ASA needs a route for all internal prefixes towards the core switch
- the core switch needs a route for the VPN pool range towards the ASA
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide