cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
52017
Views
46
Helpful
9
Replies

How can I specify a default gateway for AnyConnect users with a local IP pool?

rstevek
Level 1
Level 1

Hi all,

This question pertains to my ASA5510 running 8.0(4) software.

For several of my AnyConnect group policies, I am using a local IP pool to assign addresses to the remote clients.  The pool is 10.1.50.1 - 10.1.50.250.  The problem is that when the clients connect, they are getting a default gateway of 10.1.0.1  This would be OK in a properly configured network, but this isn't really one of those.

I don't think there is anyplace where I can specify the default gateway, is there?  What's the proper way to work around this?

Thanks in advance,

- Steve

1 Accepted Solution

Accepted Solutions

Hi ,


Check this out...


Ethernet adapter Cisco AnyConnect VPN Client Connection:

        Connection-specific DNS Suffix  . : vcnynt.com

        Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows

        Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00

        Dhcp Enabled. . . . . . . . . . . : No

        IP Address. . . . . . . . . . . . : 10.1.50.1

        Subnet Mask . . . . . . . . . . . : 255.255.0.0 <<<<<<<< Subnet mask is /16.

        Default Gateway . . . . . . . . . : 10.1.0.1


10.1.50.1 is a part of 10.1.0.0 subnet. By design, to make VPN client routing compatible with the Vista machines. We had changed the ip address assigment for DG on the client. This had been noticed that if you have the same ip of DG as the virtual adapter's ip address it won't work. So what you are seeing is the right behavior.


In other words, Anyconnect will show the first ip address of the subnet as the DG which in your case is 10.1.0.1 .




HTH...


Regards

M


P.S : For all users whenever you post your questions and the solution given to you works, please make sure you rate it. That helps other users with same query to get their answers in less time rather posting a new thread for same thing and waiting for answers. This saves time for both author and the person who replies to it.

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

View solution in original post

9 Replies 9

mopaul
Cisco Employee
Cisco Employee

Hey,


There is no way you can push or configure DG on clients (be it Anyconnect or Ipsec). By design it works as :-


Split tunneling enabled :-  You would see NO DG in ipconfig /all on VPN adapter

Split tunneling disable :- Either first ip from pool or client's ip addr will be seen as  the DG


From a pool of 10.1.50.1 - 10.1.50.250 ... with split disable you should see DG either as 10.1.50.1 or the ip assigned to your client by local pool on ASA.


Seeing a DG that too out of the pool sounds weird. Are you sure that you dint make typo in your post , i mean its 10.1.50.1 and not 10.1.0.1



Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

Hi,

Thanks very much, but it was not a typo.  I've attached a screenshot showing the IP address assigned to me by the AnyConnect client, and here's the output of ipconfig /all:


Windows IP Configuration

        Host Name . . . . . . . . . . . . : 154chris-net-is
        Primary Dns Suffix  . . . . . . . : vcnynt.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : vcnynt.com
                                            vcnynt.com
                                            momentumaidsproject.org

Ethernet adapter Wireless Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Network Connection
        Physical Address. . . . . . . . . : 00-1C-BF-99-E8-35

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
        Physical Address. . . . . . . . . : 00-1B-38-B9-03-A2
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 68.167.16.171
        Subnet Mask . . . . . . . . . . . : 255.255.255.248
        Default Gateway . . . . . . . . . :
        DHCP Server . . . . . . . . . . . : 68.167.16.169
        DNS Servers . . . . . . . . . . . : 64.105.124.155
                                            64.105.159.251
        Lease Obtained. . . . . . . . . . : Monday, November 23, 2009 9:58:23 AM
        Lease Expires . . . . . . . . . . : Monday, November 23, 2009 10:58:23 AM

Ethernet adapter Cisco AnyConnect VPN Client Connection:

        Connection-specific DNS Suffix  . : vcnynt.com
        Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
        Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.1.50.1
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . : 10.1.0.1
        DNS Servers . . . . . . . . . . . : 10.1.2.80
                                            10.1.2.180

Thanks,

- Steve

Hi ,


Check this out...


Ethernet adapter Cisco AnyConnect VPN Client Connection:

        Connection-specific DNS Suffix  . : vcnynt.com

        Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows

        Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00

        Dhcp Enabled. . . . . . . . . . . : No

        IP Address. . . . . . . . . . . . : 10.1.50.1

        Subnet Mask . . . . . . . . . . . : 255.255.0.0 <<<<<<<< Subnet mask is /16.

        Default Gateway . . . . . . . . . : 10.1.0.1


10.1.50.1 is a part of 10.1.0.0 subnet. By design, to make VPN client routing compatible with the Vista machines. We had changed the ip address assigment for DG on the client. This had been noticed that if you have the same ip of DG as the virtual adapter's ip address it won't work. So what you are seeing is the right behavior.


In other words, Anyconnect will show the first ip address of the subnet as the DG which in your case is 10.1.0.1 .




HTH...


Regards

M


P.S : For all users whenever you post your questions and the solution given to you works, please make sure you rate it. That helps other users with same query to get their answers in less time rather posting a new thread for same thing and waiting for answers. This saves time for both author and the person who replies to it.

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

Hi,

Thanks again.  I guess I wasn't clear.  I know that 10.1.0.1 is the first address in our class B.  That goes to back to what I said about how this would be OK if this was a properly configured network.

I guess if there's no way to change the gateway for the AnyConnect clients, I should reconfigure the network.  10.1.0.1 was assigned to a workstation by DHCP, but that's easily fixed and I can put it as a secondary address on the gateway.

Thanks,

- Steve

Hi,


Well thats correct there is no way to change the DG as its hardcoded on the clients. Thats why even Cisco does not recommend to overlapping subnets across the tunnel, be it a site to site or VPN clients. In case of latter, pool is not recommended to be a part of same subnet as the internal LAN behind the VPN terminating device.


HTH...


Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

I know this is an old discussion but I would like to add to it. The value of the default gateway really does not matter to the AnyConnect client. The default gateway is significant when we deal with physical addresses and traditional IP subnets. But the AnyConnect client is dealing with a virtual interface and does not need a default gateway. The AnyConnect client is treating the VPN session very much like a point to point link, where you are not necessarily interested in the IP of the next hop. (think for example of this ip route 0.0.0.0 0.0.0.0 serial0/0. There is no need for a next hop address or a default gateway address.) The routing logic of the AnyConnect client is that all "interesting" traffic will be sent to the upstream peer using the encrypted link. That encrypted link uses the peer address and does not use any default gateway. Lots of software stacks expect an IP interface to have a default gateway and so Cisco typically will set the value of the default gateway to the first IP in the subnet of the address pool. But AnyConnect does not use that default gateway and it really does not make any significant difference whether the value of default gateway in the client matches the default gateway of the upstream peer or not.

 

HTH

 

Rick

HTH

Rick

Thanks @Richard Burts !  VERY well done on your explanation and appreciated!  I just got done moving our VPN anyconnect pool to a bigger pool to accommodate more remote workers  (thanks COVID-19!) and interestingly when testing with my AnyConnect client I'm seeing another client get the first IP in the pool which is also my default gateway on my VPN client!  All functionality appears so I'm guessing we're OK.  I'll know more in the morning when the users start hammering the Remote Access VPN connections.

 

Anyway, thanks so much for your contribution on this thread.  Cheers... 

@j.hammel you are welcome. I am glad that my explanation has been helpful. I hope that your increased use of AnyConnect goes well. It is not intuitive for many of us, but in things like AnyConnect the concept of default gateway is really not useful. We are so used to thinking in terms of how our PC gets to remote resources by depending on its default gateway (and perhaps have experienced troubleshooting problems that turned out to be incorrect default gateway) that we assume this is the case with AnyConnect. But it is not the case here. Perhaps it might help to think of it in terms of AnyConnect just needs to send its encrypted data to the head end device and AnyConnect knows how to reach the head end device without needing a default gateway.

HTH

Rick

Zalbarqawi
Level 1
Level 1

Here i made a quick lab showing an interested thing where the source ip of the vpn-remote-client is changeable based on wireshark sniff point, below sniff results after the anyconnect is successfuly implemented:

- after the anyconnect has been implemented, i have i tried [https from remote-vpn-client TO 1.1.1.1] which is the eterprise server local ip address and here is the results:

1- when i sniff the traffic in physcal NIC of remote-client user i found the below (encrypted traffic DTLS):

source ip was: 192.168.100.2(physical nic ip) 

destination ip was: 172.2.2.1(outside ip of ASA)

2- when i sniff the traffic in the outside interface of ASA i found the below (encrypted traffic DTLS):

source ip was: 172.1.1.1(nated public ip of home router) 

destination ip was: 172.2.2.1(outside ip of ASA)

2- when i sniff the traffic in the inside interface of ASA i found the below (unencrypted traffic TCP):

source ip was: 192.168.41.1(virtual adpater anyconnect pool ip) 

destination ip was: 1.1.1.1(https real ip)

 

anyconnect-vpn.png