Solved: Re: ASA Routing about VPN Client

Iglu18 · ‎06-23-2023

The ASA routed packets for VPN clients that are no longer connected.
In our case via the default route and in the direction of the Internet.

The ASA knows the IP ranges for the VPN clients and has a table of which VPN client is connected.
Is there a possibility that the ASA drops the packet of a client without VPN session instead of routing it via default route outside?

routing table:

asa# sh route static

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is xxx.xxx.xxx.254 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via xxx.xxx.xxx.254, outside (Internet)
V xxx.xxx.xxx.105 255.255.255.255 connected by VPN (advertised), outside
V xxx.xxx.xxx.106 255.255.255.255 connected by VPN (advertised), outside
V xxx.xxx.xxx.107 255.255.255.255 connected by VPN (advertised), outside
V xxx.xxx.xxx.108 255.255.255.255 connected by VPN (advertised), outside
S 0.0.0.0 0.0.0.0 [255/0] via xxx.xxx.xxx.78, inside tunneled (For connected VPN Clients)

Best regards

MHM Cisco World · ‎06-26-2023

Then use this as workaround as

route OUT <anyconnect subnet pool mask /24> null0

View solution in original post

MHM Cisco World · ‎06-23-2023

S* 0.0.0.0 0.0.0.0 [1/0] via xxx.xxx.xxx.254, outside (Internet)

S 0.0.0.0 0.0.0.0 [255/0] via xxx.xxx.xxx.78, inside tunneled (For connected VPN Clients)

the ONLY traffic for VPN use default route via .78
the other traffic will use default route via .254

Iglu18 · ‎06-23-2023

I am talking about packets which are sent from non vpn clients for example server toward vpn-clients which are disconnected. We would like to drop these packages. These pakets follow the route via .254

MHM Cisco World · ‎06-23-2023

ASA will drop packet for inactive VPN not forward via .254

Iglu18 · ‎06-23-2023

but it does. I see the packet on the Firewall Logs toward the internet.

MHM Cisco World · ‎06-23-2023

Firewall log specifying public IP of anyconnect ?

If yes

Then compare it with public IP of active anyconnect

Show vpn-sessiondb

Iglu18 · ‎06-23-2023

No I see the *private* Assigned IP of the anyconnect client

MHM Cisco World · ‎06-23-2023

Show vpn-sessiondb anyconnect

Check private ip with log' are the vpn active or inactive(not show in dbsession) ?

Iglu18 · ‎06-23-2023

the vpn are inactive (not show in dbsession anyconnect)

MHM Cisco World · ‎06-23-2023

Show route'

Did you see

V <anyconnect private IP> outside

we can add
route OUT <anyconnect subnet pool mask /24> null0

but this have no effect if
the vpn inactive but the ASA dont remove it "V" route of anyconnect host from routing table.

Iglu18 · ‎06-26-2023

The V <anyconnect private IP> outside (inactive VPN client) is not in the routing table. So the packet follows the default route toward internet.

Rob Ingram · ‎06-26-2023

@Iglu18 try defining a null route for the summary network of the anyconnect IP pool to drop the traffic. https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/general/asa-919-general-config/route-static.html#ID-2105-00000017

MHM Cisco World · ‎06-26-2023

Then use this as workaround as

route OUT <anyconnect subnet pool mask /24> null0

Iglu18 · ‎06-26-2023

after that the routing is as follows. If there is a active VPN Client the packet will be routet into the tunnel. If the VPN Client is disconnected, the paket will be routed to the null0 Interface. Correct?

MHM Cisco World · ‎06-26-2023

Correct asa select longest match'

If anyconnect active it route will be /32 and we add /24 to null0 then the asa will select/32

When anyconnect inactive it route will disappear añd asa will select/24 to null0.