cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4997
Views
0
Helpful
5
Replies

Edit Default Route to Tunneled

Airtimers
Level 1
Level 1

I have a Cisco ASA 5510 that is providing routing functions and a acts as a VPN. I'm trying to configure the VPN so that clients route all their traffic through the default gateway provided by the ASA. It's a split-tunnel setup, but when clients connect, they still seem to be using their old default gateway to route traffic. I've tried a few different things and I'm pretty sure it's due to the static default route entry in the config:

route outside 0.0.0.0 0.0.0.0 69.12.252.209 1

I'm thinking I should changed that to tunneled. However, when I try to do it either from the CLI or the ADSM the ASA locks up for 30 or so minutes and won't do anything at all (inlcuding route traffic).

Is this the right config line that's causing the issue? Any idea why I can't edit it?

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Tim,

If you want to send all the traffic from the VPN clients reaching the ASA to a different default-gateway you should set the tunneled option on the route command

Now as I can understand you are using split tunnel and what you are looking for is to send all the vpn clients traffic to the ASA and then do a U-turning and use the same default gateway as the ASA.

For that you need to make the following:

1-Take out the split tunnel configuration from the group-policy as you want to encrypt and send all the traffic from the VPN clients across the tunnel to the ASA and then from that place to the outside using the same gateway as the ASA.

2-Enable  same-security-traffic permit intra-interface to allow U-turning traffic

3- Configure a Nat rule (Outside,Outside) from the VPN client pool to the outside interface of the ASA

Example of the nat using 8.3

object network VPN_POOL

subnet 10.0.0.0 255.255.255.0

exit

nat (outside,outside) source dynamic VPN_POOL interface

That should do it man!

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Tim,

If you want to send all the traffic from the VPN clients reaching the ASA to a different default-gateway you should set the tunneled option on the route command

Now as I can understand you are using split tunnel and what you are looking for is to send all the vpn clients traffic to the ASA and then do a U-turning and use the same default gateway as the ASA.

For that you need to make the following:

1-Take out the split tunnel configuration from the group-policy as you want to encrypt and send all the traffic from the VPN clients across the tunnel to the ASA and then from that place to the outside using the same gateway as the ASA.

2-Enable  same-security-traffic permit intra-interface to allow U-turning traffic

3- Configure a Nat rule (Outside,Outside) from the VPN client pool to the outside interface of the ASA

Example of the nat using 8.3

object network VPN_POOL

subnet 10.0.0.0 255.255.255.0

exit

nat (outside,outside) source dynamic VPN_POOL interface

That should do it man!

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Setting the route to tunneled is what I thought I should do. The problem is when I try to remove it from the config (to add a new default route) it locks the ASA up for a long time and no one can get access. I haven't found a way to edit that yet. I would set it to not do split-tunneling, but it's a rented unit, not my own.

Hello Tim,

You should have a default route already for the internet access and then you should have another just for the VPN users so they can be re-directed to a different gateway.

Then if you remove the tunneled interface you should have not  any problem

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for the help.

How would I specify one route for VPN and one for another. I only get a list of interfaces.

Would I need to add something like:

route outside (start of IP range assigned to VPN clients) (mask for VPN IP range) 69.12.252.209 tunneled

Hello Tim,

No, you can only apply one route for all the VPN users as the ASA does not support PBR (Routing based on source IP)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC