Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
801
Views
5
Helpful
4
Replies

anyconnect VPN end user traffic

Go to solution
Robin.Wang2020
Level 1
Level 1

‎09-16-2021 10:19 AM

Dear Friends, 

I am facing a problem, please help me here. I configured anyconnect VPN on ASA 5508-x. 

 
 

 

 

ASA inside interface ip address is 10.16.5.20/24, there is route " route inside 10.0.0.0 255.0.0.0 10.16.5.1" that is the SVI of Vlan 5 in core Switch. 

 

In ASA, I give the vpn user ip address 10.16.6.10--- 10.16.6.254/24. right now end-users could get ip address and access our inside server,  but I am confused here, what is end users' default gateway. for example, I am a vpn user and I get ip address 10.16.6.10. I want to access 10.16.80.80, what's the traffic going to? since I didn't give any Vlan for 10.16.6.0/24. how does core switch know where to go for 10.16.6.10? 

 

thanks in advance. 

 

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-16-2021 10:26 AM

@Robin.Wang2020

The RAVPN user traffic would be tunnel to the ASA and routed as per the ASAs routing table so would match "route inside 10.0.0.0 255.0.0.0 10.16.5.1" and the packets would be routed to the core switch.

 

You may not have an explict route for the 10.16.6.0/24 network but the core switch has a default route which would be the ASA, so the core switch really does not need a specific route as traffic would go to the ASA anyway.

View solution in original post

0 Helpful

Go to solution
Robin.Wang2020
Level 1
Level 1

‎09-16-2021 10:44 AM

 Rob Ingram

 

thanks a lot, I understand better, but there is an issue, right now I couldn't ping 10.16.5.20 the inside interface of ASA. I could ping other IP addresses in the same subnet like 10.16.5.10. 

I mean when I log in to VPN and get IP address 10.16.6.10. 

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Robin.Wang2020

‎09-16-2021 10:50 AM

@Robin.Wang2020 by default you cannot ping a far interface, so if you are behind the outside interface then you cannot ping the inside interface. The only exception to this is if connected to a VPN, in which case you need to configure the command "management-access <inside interface name>".

 

 

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎09-16-2021 10:26 AM

@Robin.Wang2020

The RAVPN user traffic would be tunnel to the ASA and routed as per the ASAs routing table so would match "route inside 10.0.0.0 255.0.0.0 10.16.5.1" and the packets would be routed to the core switch.

 

You may not have an explict route for the 10.16.6.0/24 network but the core switch has a default route which would be the ASA, so the core switch really does not need a specific route as traffic would go to the ASA anyway.

0 Helpful

Go to solution
Robin.Wang2020
Level 1
Level 1

‎09-16-2021 10:44 AM

 Rob Ingram

 

thanks a lot, I understand better, but there is an issue, right now I couldn't ping 10.16.5.20 the inside interface of ASA. I could ping other IP addresses in the same subnet like 10.16.5.10. 

I mean when I log in to VPN and get IP address 10.16.6.10. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Robin.Wang2020

‎09-16-2021 10:50 AM

@Robin.Wang2020 by default you cannot ping a far interface, so if you are behind the outside interface then you cannot ping the inside interface. The only exception to this is if connected to a VPN, in which case you need to configure the command "management-access <inside interface name>".

 

 

Go to solution
Robin.Wang2020
Level 1
Level 1
In response to Rob Ingram

‎09-16-2021 11:30 AM

Yes, you are right. 

 

really appreciate it. 

0 Helpful
Customers Also Viewed These Support Documents