Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
8
Replies

Tunneled Route - Need for two gateways

Douglas Holmes
Level 1
Level 1

‎03-07-2016 05:52 AM

Greetings,

I have a problem that currently is solved through Static Routes.  Users connect to the ASA and gain access to the trusted network for everything, including local resources and Internet.  Hence the static route is on the trusted side.  Since users need to go anywhere from local Exchange Server and DNS to google or even comedy central or ebay.  All networks that connect to the ASA have a static route on the outside that points to the gateway.  The ASA is used to terminate IPSEC connections only. We use both AnyConnect and strongSwan. 

I have tested a bit with the "tunneled" route, but it is my understanding that it only routes encrypted traffic.  I can see from testing that it does not necessarily replace the static route when initiating tunnels since they are not encrypted yet? 

The problem is right now all my users are from known IP space.  This will change shortly to any IP space world wide.  How do I adjust when this change occurs?  Thanks.

Douglas

Labels:
0 Helpful
8 Replies 8

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎03-07-2016 06:11 AM

Hi Douglas,

You are right.

Only the VPN Client/User connected to this ASA will use the Static routes for the specific networks if the user tries to connect some destination address mentioned by those routes. If it doesn't match those static routes then it will use the "tunneled" default route.

The "tunneled" parameter doesnt mean that the traffic is encrypted. It just refers to the fact the "route" command used is used to forward traffic incoming from a VPN connection.

Regards,

Aditya

Please rate helpful posts.

0 Helpful

Douglas Holmes
Level 1
Level 1
In response to Aditya Ganjoo

‎03-07-2016 06:18 AM

Thanks Aditya for the information.  However, my basic question is still unanswered.  That question is if my default route is on the trusted network (or inside network), how do I route on the untrusted (or outside network) so that users can hit the outside address of the ASA and receive return traffic from anywhere in the world. 

0 Helpful

Douglas Holmes
Level 1
Level 1
In response to Douglas Holmes

‎03-07-2016 06:59 AM

I have two ASA's setup in the lab.  One running AnyConnect and another running strongSwan.  I can test any suggestions that anyone might have pretty quickly since I won't be impacting users. 

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Douglas Holmes

‎03-07-2016 08:24 AM

Hi Douglas,

The only thing I can think of is using PBR on ASA.

Its supported from 9.4 code of ASA.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.html

Regards,

Aditya

Please rate helpful posts.

0 Helpful

Douglas Holmes
Level 1
Level 1
In response to Aditya Ganjoo

‎03-07-2016 09:47 AM

Thanks again for your input.  Would this be what you were referring to:

access-list s-pbr extended permit udp any4 eq 4500 interface Outside
access-list s-pbr extended permit udp any4 eq isakmp interface Outside
access-list s-pbr extended permit tcp any4 eq www interface Outside
access-list s-pbr extended permit tcp any4 eq https interface Outside

route-map s-pbr-map permit 12
set ip next-hop 10.10.10.1
match ip address s-pbr
set interface outside

int g0/0
policy-route route-map s-pbr-map

Not sure I got the syntax right on this since it doesn't work.  I will go back to the configuration guide again. 

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Douglas Holmes

‎03-07-2016 06:58 PM

Hi Douglas,

I am not sure what specific traffic do you need to allow through the outside interface but if you follow the correct syntax you should be able to pass the traffic.

You should be able to verify if the traffic is hitting the correct policy by using a packet-tracer command.

Use show policy-route to check the policies.

And then a packet-tracer to see the following phase in the output:

Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW

Do you see this phase in the packet trace output ?

Regards,

Aditya


Please rate helpful posts.

0 Helpful

Douglas Holmes
Level 1
Level 1
In response to Aditya Ganjoo

‎03-08-2016 04:38 AM

Thanks again for the response.  The "show policy-route" just shows me that I have a policy route applied:

device# show policy-route
Interface                           Route map
GigabitEthernet0/0                  s-pbr-map

I know its not working since nobody can connect once I remove the static route. 

On a packet trace I get denied by configured rule.  I really am looking for all responses from ports tcp https, udp 500 and udp 4500 to be send to the gateway on the outside.  Doesn't seem so hard.  But its starting to look that way. 

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Douglas Holmes

‎03-08-2016 05:12 AM

Hi Douglas,

This means the rules created are not taking effect.

Until we sort the rules for this traffic we would not be able to route the traffic.

Let me check at my end and I will keep you posted.

Regards,

Aditya

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents