Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
611
Views
0
Helpful
3
Replies

Prefix length and VPN on a stick

jdcoder36
Level 1
Level 1

‎08-01-2012 09:29 AM

I currently have a remote "VPN on a stick" configuration setup on an ASA's "outside" interface that provides access to 2 networks on the same side. Hosts are setup in a split tunnel configuration so that only the 134.23/16 and 166.43/16 network traffic is sent to the VPN.

Example: (IPs changed)

(PRIVATE) -- ASA --router------------------- (Internet)  ----  Host (any ip) (anyconnect)

                                   |

                                   |------ 134.23.0.0/16

                                   |

                                   |------ 166.43.0.0/16 -------

                                                                      |

                                                                   router

                                                                      |

                                                                      ---------166.43.1.0/24-----

                                                                                                         |

                                                                                                         |

                                                                                                         ------ Host (166.43.1.3) (anyconnect)

Tunnel access-list:

access-list tunnel standard permit 166.43.0.0 255.255.0.0

access-list tunnel standard permit 134.23.0.0 255.255.0.0

Even though users can connect from the Internet, the configuration does not provide access to the Internet from the VPN (only access to the two other networks). The problem is that if a host connects from one of the two networks allowed by the VPN but from a "more specific" subnet in that network the client will follow normal routing rules and not pass traffic through the VPN because the prefix length is longer on the 166.43.1/24 subnet. I am able to add the following configuration to the tunnel to force traffic trough the VPN, but this would have to be done for all subnets with a larger prefix than the first two.

access-list tunnel standard permit 166.43.1.0 255.255.255.0

Is there a way to have the VPN anyconnect client force traffic destined for a network regardless on a more specific route that may exist on the client's machine? (This is done so that the traffic is encypted, even if the client can connect to the desired machine without the VPN)

Thanks!

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎08-03-2012 01:53 AM

Do you need to configure split tunnel, or you can route everything via VPN even for Internet traffic.

If you disable split tunnel, then all traffic will be routed via the VPN tunnel when they are connected.

0 Helpful

jdcoder36
Level 1
Level 1
In response to Jennifer Halim

‎08-05-2012 08:57 AM

Split tunnel is setup, and for performance reasons we only tunnel traffic for the two /16 networks.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to jdcoder36

‎08-06-2012 12:09 AM

what is the vpn client pool that you assigned to the anyconnect?

0 Helpful
Customers Also Viewed These Support Documents