06-23-2023 05:00 AM - edited 06-23-2023 05:01 AM
The ASA routed packets for VPN clients that are no longer connected.
In our case via the default route and in the direction of the Internet.
The ASA knows the IP ranges for the VPN clients and has a table of which VPN client is connected.
Is there a possibility that the ASA drops the packet of a client without VPN session instead of routing it via default route outside?
routing table:
asa# sh route static
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is xxx.xxx.xxx.254 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via xxx.xxx.xxx.254, outside (Internet)
V xxx.xxx.xxx.105 255.255.255.255 connected by VPN (advertised), outside
V xxx.xxx.xxx.106 255.255.255.255 connected by VPN (advertised), outside
V xxx.xxx.xxx.107 255.255.255.255 connected by VPN (advertised), outside
V xxx.xxx.xxx.108 255.255.255.255 connected by VPN (advertised), outside
S 0.0.0.0 0.0.0.0 [255/0] via xxx.xxx.xxx.78, inside tunneled (For connected VPN Clients)
Best regards
Solved! Go to Solution.
06-26-2023 12:54 AM - edited 06-26-2023 01:53 AM
Then use this as workaround as
route OUT <anyconnect subnet pool mask /24> null0
06-23-2023 05:10 AM
S* 0.0.0.0 0.0.0.0 [1/0] via xxx.xxx.xxx.254, outside (Internet)
S 0.0.0.0 0.0.0.0 [255/0] via xxx.xxx.xxx.78, inside tunneled (For connected VPN Clients)
the ONLY traffic for VPN use default route via .78
the other traffic will use default route via .254
06-23-2023 05:22 AM
I am talking about packets which are sent from non vpn clients for example server toward vpn-clients which are disconnected. We would like to drop these packages. These pakets follow the route via .254
06-23-2023 05:35 AM
ASA will drop packet for inactive VPN not forward via .254
06-23-2023 05:44 AM
but it does. I see the packet on the Firewall Logs toward the internet.
06-23-2023 05:47 AM
Firewall log specifying public IP of anyconnect ?
If yes
Then compare it with public IP of active anyconnect
Show vpn-sessiondb
06-23-2023 06:37 AM
No I see the *private* Assigned IP of the anyconnect client
06-23-2023 06:54 AM - edited 06-23-2023 06:55 AM
Show vpn-sessiondb anyconnect
Check private ip with log' are the vpn active or inactive(not show in dbsession) ?
06-23-2023 06:56 AM
the vpn are inactive (not show in dbsession anyconnect)
06-23-2023 07:08 AM - edited 06-26-2023 01:54 AM
Show route'
Did you see
V <anyconnect private IP> outside
we can add
route OUT <anyconnect subnet pool mask /24> null0
but this have no effect if
the vpn inactive but the ASA dont remove it "V" route of anyconnect host from routing table.
06-26-2023 12:35 AM
The V <anyconnect private IP> outside (inactive VPN client) is not in the routing table. So the packet follows the default route toward internet.
06-26-2023 12:40 AM
@Iglu18 try defining a null route for the summary network of the anyconnect IP pool to drop the traffic. https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/general/asa-919-general-config/route-static.html#ID-2105-00000017
06-26-2023 12:54 AM - edited 06-26-2023 01:53 AM
Then use this as workaround as
route OUT <anyconnect subnet pool mask /24> null0
06-26-2023 01:47 AM
after that the routing is as follows. If there is a active VPN Client the packet will be routet into the tunnel. If the VPN Client is disconnected, the paket will be routed to the null0 Interface. Correct?
06-26-2023 01:55 AM
Correct asa select longest match'
If anyconnect active it route will be /32 and we add /24 to null0 then the asa will select/32
When anyconnect inactive it route will disappear añd asa will select/24 to null0.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide