cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11969
Views
10
Helpful
7
Replies

Default Gateway when connected to VPN

JohanKardell
Level 1
Level 1

Thanks for reading!

This is probably a dump question so bear with me...

I have set up a VPN connection with a Cisco ASA 5505 fronting internet, with the customers environment behind it (on the same subnet), When connected ot the VPN I can reach the inside Router fronting me and one switch behind the Router (every switch is connected to the router), but nothing else.

My beet is that the Router is messing with my connection, but,, nevermind that!, the setup ain't complete anyway... my question is more related to the Gateway I'm missing when I'm, from the outside, is connected to the VPN on the ASA, could this mess it up? Shouldn't I have a Standard-Gateway in the ipconfig settings in windows?

This is who it looks like now:

        Anslutningsspecifika DNS-suffix . : VPNOFFICE

        IP-adress . . . . . . . . . . . . : 10.10.10.1

        Nätmask . . . . . . . . . . . . . : 255.255.255.0

        Standard-gateway  . . . . . . . . :

The internal network is :

172.16.12.0 255.255.255.0

Below is my config for the ASA, thanks a lot!!!!!!!

!FlASH PÅ ROUTERN FRÅN BÖRJAN

!asa841-k8.bin

!

hostname DRAKENSBERG

domain-name default.domain.invalid

enable password XXXXXXX

names

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.12.4 255.255.255.0

!

interface Vlan10

nameif outside

security-level 0

ip address 97.XX.XX.20 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 10

!

interface Ethernet0/1

!

interface Ethernet0/2

!            

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list nonat extended permit ip 172.16.12.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list MSS_EXCEEDED_ACL extended permit tcp any any

access-list VPN-SPLIT-TUNNEL remark VPN SPLIT TUNNEL

access-list VPN-SPLIT-TUNNEL standard permit 172.16.12.0 255.255.255.0

!

tcp-map MSS-MAP

  exceed-mss allow

!

pager lines 24

logging enable

logging timestamp

logging buffer-size 8192

logging console notifications

logging buffered notifications

logging asdm notifications

mtu inside 1500

mtu outside 1500

ip local pool VPN 10.10.10.1-10.10.10.40 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 172.16.12.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 97.XX.XX.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 172.16.12.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 172.16.12.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

!

threat-detection basic-threat

threat-detection statistics access-list

group-policy VPNOFFICE internal

group-policy VPNOFFICE attributes

dns-server value 215.122.145.18

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-SPLIT-TUNNEL

default-domain value VPNOFFICE

split-dns value 215.122.145.18

msie-proxy method no-proxy

username admin password XXXXXX privilege 15

username Daniel password XXXXX privilege 0

username Daniel attributes

vpn-group-policy VPNOFFICE

tunnel-group VPNOFFICE type remote-access

tunnel-group VPNOFFICE general-attributes

address-pool VPN

default-group-policy VPNOFFICE

tunnel-group VPNOFFICE ipsec-attributes

pre-shared-key XXXXXXXXXX

!

class-map MSS_EXCEEDED_MAP

match access-list MSS_EXCEEDED_ACL

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp error

  inspect pptp

  inspect ipsec-pass-thru

  inspect icmp

class MSS_EXCEEDED_MAP

  set connection advanced-options MSS-MAP

!

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpnclient

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

Cryptochecksum:aaa1f198bf3fbf223719e7920273dc2e

: end

1 Accepted Solution

Accepted Solutions

Right if disbaled all traffic will go over tunnel and incase enabled local internet gateway will be used specific traffic wil go over tunnel.

View solution in original post

7 Replies 7

rizwanr74
Level 7
Level 7

You must add other internal networks that you wanted to access in the 'nonat' ACL, like one you have below.

access-list nonat extended permit ip 172.16.12.0 255.255.255.0 10.10.10.0 255.255.255.0

and a route to push the traffic to inside.

route inside inside-network-iD 255.255.whatever.whatever next-hop-address-inside-the-network.

FYI...

This is something out of the ordinary, you just increase the encryption level aaaaaaaaway too much, I never seen anything like this.

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

Bonus FYI...

This is all you needed.

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA

Thanks

Rizwan Rafeek

one missing piece is:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

I didn't realise I had that crypto settings on, thanks my bad!!!

But... the 172.16.12.0 network is directly connected, the Router (that to be honest is a firewall) / switches is all on the same subnet (172.16.12.X/24), so sorry I didn't explain thoroughly, was more wondering about the GW and didn't want to overcomplicate things..

The Firewall/Router dosen't do any routing, so it should work right (I you count out the firewalling in the firewall and so forth, there shouldn't be any problems accomplishing this with the ASA)? The Firewall is more a DHCP for the clients/Firwall for the clients.. this will change in the future.. it will be removed,

the vpn network is staticly routed back to my ASA in that firewall...

I don't like this solution.. but this is who it looks.. for now..

(VPN network is 10.10.10.X/24)

But... shouldn't I see a default gateway under ipconfig when I'm connected to the VPN from internet, on the vpn client that's vpned in, is this correct?

THANKS for all the help!

That's fine VPN adapter is virtual one does not make any routing decesion even if you get the gateway over there.So gateway is not required for VPN traffic on Virtual adapter.

Thanks

Ajay

Thanks! And Split-tunnel enabled or disabled won't affect if there's a gateway or not, right!?

Right if disbaled all traffic will go over tunnel and incase enabled local internet gateway will be used specific traffic wil go over tunnel.

Thanks for all the help guys!!!!!