cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2869
Views
0
Helpful
5
Replies

Inside Default Route

debra-brown
Level 1
Level 1

We have an ASA 5550. How do you put the statement for the inside default route?  When I put the inside default route (route Inside 0.0.0.0 0.0.0.0 172.16.3.254 tunneled), I cannot get on the internet when I connect to Cisco VPN client with group policy techsupport (full tunnel).  However, I can get on the internet with split-tunnel for splitunnel group policy.  Attached is the config.  Please let me know if you need additional information.

Do you have any suggestions?

Thanks.

3 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

You don't need to configure route inside with the tunnelled keyword for the non split tunnel policy. With the current configuration, you should be able to access the Internet via the outside interface. Are you trying to send the internet traffic towards your internal internet gateway? Or the ASA outside interface would be the default gateway for the VPN Client internet traffic?

View solution in original post

If you just configured the tiunnel default gateway purely to send traffic towards the Cat6k and return the traffic back to the ASA for internet traffic, that would not work.

Reason is because the NAT exemption configuration always takes precedence over the PAT, and since the default gateway for the internet traffic is back towards the ASA itself, than traffic will be NAT exempted, and with private ip address, internet traffic will not get anywhere.

If traffic is going in and out the outside interface of the ASA for vpn client internet traffic without the tunneled default gateway, it will work just fine because it doesn't traverse the inside interface where the NAT exemption is applied.

Hope that makes sense.

View solution in original post

After thinking carefully, even with ip pool configured with public ip address, as far as the connection is concern, I don't believe it will work.

Here is my logical thinking:

1) Say the pool is 200.1.1.1, it will reach the ASA, decrypted and sent to the Cat6k with tunnel default gateway set.

2) Cat6k will just reroute the traffic with the same source as 200.1.1.1. From the ASA points of view, 200.1.1.1 should be connected to the outside (where vpn is terminated) instead of inside, and ASA will think the source address is spoofed and dropped the packet.

3) Even if the ASA is allowed for example, 200.1.1.1 comes in the inside interface of the ASA, then goes out to the internet, and when it comes back, it will send the traffic out towards the outside interface to be encrypted back towards the VPN Client. However, this will cause TCP asymmetric issue as follows:

TCP SYN - from 200.1.1.1 (inside) towards outside

TCP SYN-ACK - from outside towards outside because 200.1.1.1 is routed out (since it's still clear text packet at this point, the tunnel default gateway will not take effect).

Since it's TCP asymmetric, ASA will drop the packet as ASA is a stateful firewall.

View solution in original post

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

You don't need to configure route inside with the tunnelled keyword for the non split tunnel policy. With the current configuration, you should be able to access the Internet via the outside interface. Are you trying to send the internet traffic towards your internal internet gateway? Or the ASA outside interface would be the default gateway for the VPN Client internet traffic?

Thanks Halijenn for your prompt response and information.  My ASA outside interface is the default gateway for the VPN client internet traffic. Is it possible to configure the default inside route and get on the internet with full tunnel?  Is it normal that people configure the default inside route with full tunnel?  I need to configure the default inside route because there are some networks that are configured on the Cisco 6500 and do not have the static routes on the ASA.  When the ASA does not have static routes, I want the ASA to check with the Cisco 6500 (inside networks) first, then the firewall. 

Please let me know if you have any questions or need additional information.

Thanks.

Debra

If you just configured the tiunnel default gateway purely to send traffic towards the Cat6k and return the traffic back to the ASA for internet traffic, that would not work.

Reason is because the NAT exemption configuration always takes precedence over the PAT, and since the default gateway for the internet traffic is back towards the ASA itself, than traffic will be NAT exempted, and with private ip address, internet traffic will not get anywhere.

If traffic is going in and out the outside interface of the ASA for vpn client internet traffic without the tunneled default gateway, it will work just fine because it doesn't traverse the inside interface where the NAT exemption is applied.

Hope that makes sense.

Halijenn,

Thanks for your prompt response and information.  May I ask you another question since you know so much?  If I use public IP address instead of private IP address, will I be able to configure the default inside route and get on the internet with full tunnel?

Thanks.

After thinking carefully, even with ip pool configured with public ip address, as far as the connection is concern, I don't believe it will work.

Here is my logical thinking:

1) Say the pool is 200.1.1.1, it will reach the ASA, decrypted and sent to the Cat6k with tunnel default gateway set.

2) Cat6k will just reroute the traffic with the same source as 200.1.1.1. From the ASA points of view, 200.1.1.1 should be connected to the outside (where vpn is terminated) instead of inside, and ASA will think the source address is spoofed and dropped the packet.

3) Even if the ASA is allowed for example, 200.1.1.1 comes in the inside interface of the ASA, then goes out to the internet, and when it comes back, it will send the traffic out towards the outside interface to be encrypted back towards the VPN Client. However, this will cause TCP asymmetric issue as follows:

TCP SYN - from 200.1.1.1 (inside) towards outside

TCP SYN-ACK - from outside towards outside because 200.1.1.1 is routed out (since it's still clear text packet at this point, the tunnel default gateway will not take effect).

Since it's TCP asymmetric, ASA will drop the packet as ASA is a stateful firewall.