Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1268
Views
0
Helpful
3
Replies

How to tunnel a public IP address over a remote access tunnel?

Go to solution
andrussuitsu
Level 1
Level 1

‎10-04-2011 03:35 AM

Hi!

We need to have a remote access worker to access a certain public IP address x.x.x.x through our ASA5510 so his access to x.x.x.x will look as if originated from our network.

I set up a split tunneling remote access policy and the client routing shows that x.x.x.x is among the tunneled addresses. But when I ping x.x.x.x from the client side, the ping packets are bypassed using the default 0.0.0.0 route on the client and so they don't enter the tunnel. The client also increases the number of bypassed packets and the encrypted/decrypted count remains 0.

Route metric for 0.0.0.0 is 281 and it is 100 for x.x.x.x so it looks like x.x.x.x has priority.

What could be the problem?

Andrus

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎10-04-2011 05:18 AM

Andrus

The most logical thing would be that there is a flaw in the way that you set up the split tunneling. Can you post the config so that we can see what is there?

It might also be helpful if you could post the output of route print from the client PC.

I doubt that the metrics of the routes are the problem. In looking up routes to forward packets it is a longest match lookup. So you only use the 0.0.0.0 route if there is no other matching route in the table.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎10-04-2011 05:18 AM

Andrus

The most logical thing would be that there is a flaw in the way that you set up the split tunneling. Can you post the config so that we can see what is there?

It might also be helpful if you could post the output of route print from the client PC.

I doubt that the metrics of the routes are the problem. In looking up routes to forward packets it is a longest match lookup. So you only use the 0.0.0.0 route if there is no other matching route in the table.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
andrussuitsu
Level 1
Level 1

‎10-04-2011 05:57 AM

Hi!

Your request to send the output of "route print" gave an incentive to have a better look at the output myself and I discovered a problem with the netmask of the IP pool assigned to the client. It proves the point that presenting a problem is in itself frequently enough to solve the problem. As the one who asks the question will then need to articulate the problem in a coherent way this will often bring about a moment of clarity and enlightment not achieved by pondering the problem alone

Thanks!

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to andrussuitsu

‎10-04-2011 08:09 AM

Andrus

I am glad that my suggestion prompted you to take another look at the issue and to find the problem. Thank you for using the rating system to mark this question as answered - and thanks for the points. I absolutely agree with your observation that sometimes the process of posting about a problem or trying to explain a problem to someone will cause us to look at the problem in a slightly different way and therefore to find a solution to the problem. I am glad that you found your own solution and and that you posted back to the forum about it.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents