Further info for you (had the

gudlyf001 · ‎04-23-2014

Currently we have clients connect into the VPN and are assigned addresses in the range 10.141.40.0/22. The default route for them is 10.141.40.1. This is on interface Ethernet0/0 (external) with IP 10.141.40.40/22.

The ASA also has Ethernet0/1 (internal) setup with IP 10.141.96.40/22. This subnet only exists for communication between the ASA and authentication servers in the 10.141.96.0/22 range.

The issue I'm having is when VPN clients are connected, I want ALL of their traffic to go out that default route (10.141.40.1), however since there is an interface in the 10.141.96.0/22 subnet, any traffic from clients trying to access that subnet are forced to go out that internal interface. I don't want that.

The question I have is is it possible to have the appliance itself route through the "internal" interface for reaching what it needs to reach, but force VPN clients to use only the "external" interface?

Mario Manzano · ‎04-23-2014

Hi!

What is the VPN address pool assigned to your VPN clients?

Sounds like what needs to happen is to create a "clientpool" on the device and then route all that traffic to the desired interface...

Hope this helps!

gudlyf001 · ‎04-23-2014

The clients are given addresses in the pool 10.141.40.120-10.141.40.220.

gudlyf001 · ‎04-23-2014

Further info for you (had the pool range slightly off):

net-vpn-0(config-if)# show ip local pool VLAN70 Begin End Mask Free Held In use 10.141.40.128 10.141.40.198 255.255.252.0 71 0 0

Available Addresses: 10.141.40.128 10.141.40.129 10.141.40.130 10.141.40.131

...

Route for appliance vs. VPN clients on ASA 5510