Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10394
Views
0
Helpful
2
Replies

VPN client Secure Routes

Go to solution
mahesh18
Level 6
Level 6

‎01-18-2014 04:36 PM - edited ‎03-11-2019 08:32 PM

Hi Everyone,

When i use Full VPN tunnel on RA VPN.

On client PC if we click on

status

statistics

secure route

it shows below entries

Network     Mask

0.0.0.0       0.0.0.0

Need to know does this mean that RA VPN connection can come from any IP address and it can access any network behind the VPN ASA?

Regards

MAhesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-18-2014 04:52 PM

Hi,

The secure routes just specifies the destination networks to which traffic is sent through your active VPN Client connection. Since you are using Full Tunnel VPN it means that ALL traffic is tunneled whatever the destination network might be. The 0.0.0.0/0 is simply meant to reference "any" destination network.

If you changed the VPN Client connections configuration to use Split Tunnel then this 0.0.0.0/0 would change to only containing the networks you mention in the Split Tunnel ACL.

The Client will only be acle to communicate with the LAN networks with the IP address thats assigned to it by the ASA or some DHCP server if you have configured the ASA in that way.

What the VPN Client can access on the LAN depends on other configurations on the ASA.

You might for example have configured NAT0 from a certain LAN network to the VPN pool network and this would already mean that this LAN network would be the only network it might potentially be able to access. Naturally if you have some NAT0 configuration that does NAT0 for all your LAN networks towards the VPN pool then its likely that the Clients can access any LAN network.

The connections which are allowed to the VPN user are usually restricted with the use of VPN Filter ACLs that can be attached to the "group-policy" configuration. This ACL would act as ACL that only applies to the VPN connections of the users that connect with some connection that uses this VPN Filter or the "group-policy" might also be attached to the LOCAL username of the VPN Client user and in that way restrict his/her access.

Then theres another way to control the VPN user traffic which I like more than the VPN Filter ACL. Atleast for L2L VPN connections.

There is a default setting on the like this

sysopt connection permit-vpn

Its a default setting and doesnt show up when you look at the CLI configuration normally

You can issue this command to see it

show run all sysopt

Though this will show other settings also.

The default setting of "sysopt connection permit-vpn" means that the interface ACL of the interface where the VPN user connects to on the ASA will be bypassed by all traffic from the VPN Client.

On the other hand if you were to change the setting to "no sysopt connection permit-vpn" then the VPN Client would no longer bypass the interface ACL and you could allow or deny traffic from the VPN Clients (to LAN networks for example) as you saw fit.

And the interface ACL I mean in the above is the interface where the VPN configuration is attached and which IP address the user connects to with the VPN Client. This would be the external interface which is typically called "outside" if you are using the default "nameif"

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-18-2014 04:52 PM

Hi,

The secure routes just specifies the destination networks to which traffic is sent through your active VPN Client connection. Since you are using Full Tunnel VPN it means that ALL traffic is tunneled whatever the destination network might be. The 0.0.0.0/0 is simply meant to reference "any" destination network.

If you changed the VPN Client connections configuration to use Split Tunnel then this 0.0.0.0/0 would change to only containing the networks you mention in the Split Tunnel ACL.

The Client will only be acle to communicate with the LAN networks with the IP address thats assigned to it by the ASA or some DHCP server if you have configured the ASA in that way.

What the VPN Client can access on the LAN depends on other configurations on the ASA.

You might for example have configured NAT0 from a certain LAN network to the VPN pool network and this would already mean that this LAN network would be the only network it might potentially be able to access. Naturally if you have some NAT0 configuration that does NAT0 for all your LAN networks towards the VPN pool then its likely that the Clients can access any LAN network.

The connections which are allowed to the VPN user are usually restricted with the use of VPN Filter ACLs that can be attached to the "group-policy" configuration. This ACL would act as ACL that only applies to the VPN connections of the users that connect with some connection that uses this VPN Filter or the "group-policy" might also be attached to the LOCAL username of the VPN Client user and in that way restrict his/her access.

Then theres another way to control the VPN user traffic which I like more than the VPN Filter ACL. Atleast for L2L VPN connections.

There is a default setting on the like this

sysopt connection permit-vpn

Its a default setting and doesnt show up when you look at the CLI configuration normally

You can issue this command to see it

show run all sysopt

Though this will show other settings also.

The default setting of "sysopt connection permit-vpn" means that the interface ACL of the interface where the VPN user connects to on the ASA will be bypassed by all traffic from the VPN Client.

On the other hand if you were to change the setting to "no sysopt connection permit-vpn" then the VPN Client would no longer bypass the interface ACL and you could allow or deny traffic from the VPN Clients (to LAN networks for example) as you saw fit.

And the interface ACL I mean in the above is the interface where the VPN configuration is attached and which IP address the user connects to with the VPN Client. This would be the external interface which is typically called "outside" if you are using the default "nameif"

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎01-19-2014 09:38 AM

Hi Jouni,

I will go through this post slowly slowly in coming days i will be studying about L2 VPN.

Best regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card