Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
780
Views
0
Helpful
3
Replies

routing through VPN concentrator / ASA

bberry
Level 1
Level 1

‎10-28-2013 11:09 AM

OK .. crazy question here. I have a  VPN client either on the older concentrator using IPSec or the newer ASA but both profiles are set to tunnel everything. How does traffic flow if I go to say www.google.com. Does it flow from the client to the concentrator then inside to follow my internet rules there or does it flow from the client to the concentrator then follow the default rules for the concentrator itself?

Brent

Labels:
0 Helpful
3 Replies 3

ErickBCCNA
Level 1
Level 1

‎10-28-2013 11:22 AM

I guess the answer to this would depend on your design and whether or not you are using NAT hairpinning.  I seen seen both where the ASA will hairpin the clients internet traffic back out of the OUTSIDE interface and I have also seen a design where there was a default route on the ASA with the "tunneled" argument which instructs the ASA to forward VPN client traffic to a next hop IP address where the clients internet traffic can then be proxied.

0 Helpful

bberry
Level 1
Level 1
In response to ErickBCCNA

‎10-28-2013 02:28 PM

Erick,

I guess I fall into the hairpinning catagory. Playing with different traceroutes and pings I am going back out the internet via the default route for the concentrator and ASA. If I traceroute from my client back to a system on the inside there are four hops and they make sense. If I traceroute from the client to say google then I have about 16 hops and it does complete. I am now trying to figure out why HTTP to say google does not work. I am thinking that may be somethign up with my cloud firewall provider. That is what started this whole thing in the first place.

I was just wodering if there was a way to have the default route for just my Address pool point back towards the inside. I guess that would be a NAT to a new VLAN on the inside?

Brent

0 Helpful

ErickBCCNA
Level 1
Level 1
In response to bberry

‎10-28-2013 02:57 PM

Hi bberry,

This would again depend on your design.  If you have more than one exit point to the internet, you can send your VPN client traffic to the internal network by using the "tunneled" keyword at the end of your static route statement on the ASA and let your internal network perform the default routing to a different exit point for internet access  Just remember that your internal network needs to have a route back to your VPN client's subnet for that to work.

If you only have one point out of your network to the internet, then it really doesn't make any sense to send your VPN client's internet traffic to your internal network.  NAT hairpinning would be the solution for that design or allow your clients to use split tunneling.

0 Helpful
Customers Also Viewed These Support Documents