Solved: Default gateway for VPN Clients

vamos_fernholz · ‎09-08-2016

Hello,

i'm trying to set up VPN connections to my ASA 5512. I want the whole traffic to be tunneled; clients should use the internet connection for which the ASA is the gateway for.

I just can't get this to work. Clients are connecting fine. Anyconnect client shows all traffic as tunneled for IPv4 and dropped for IPv6 which is what I intend.

My Network:

internal Network 192.168.2.1-192.168.2.255

IPs assigned to VPN Clients: 192.168.2.88-192.168.2.99

DNS Servers: 192.168.2.1, 192.168.2.2

Gateway/ASA IP: 192.168.2.45

All internal clients can access internal network and internet just fine. VPN clients can access internal network (but only if IPs are entered directly), so I think i might have an DNS Problem. How can I force the VPN Clients to use 192.168.2.45 as default gateway?

Thanks in advance!

S-Lemming · ‎09-08-2016

The ASA is the gateway by default for the VPN clients. What you need to do is permit hairpinning so the VPN traffic can go back on the outside interface. Also you must configure NAT for the VPN pool as it most likely only is configured for your internal clients.

Try this in global configuration:

same-security-traffic permit intra-interface

object network VPN-PAT-NAT
 range 192.168.2.88 192.168.2.99
 nat (outside,outside) dynamic interface

Hope this helps.

View solution in original post

S-Lemming · ‎09-08-2016

The ASA is the gateway by default for the VPN clients. What you need to do is permit hairpinning so the VPN traffic can go back on the outside interface. Also you must configure NAT for the VPN pool as it most likely only is configured for your internal clients.

Try this in global configuration:

same-security-traffic permit intra-interface

object network VPN-PAT-NAT
 range 192.168.2.88 192.168.2.99
 nat (outside,outside) dynamic interface

Hope this helps.

vamos_fernholz · ‎09-08-2016

Forum's a bit dodgy today it seems, so I might thank you twice :D That really did the trick, thanks a lot!