Solved: Re: VPN client getting route to 10.0.0.0 while connected to Cis

Tshi M · ‎09-12-2012

I have a cisco ASA that provides vpn remote access to users. The pool address is 10.16.135.x. When a user (windows user) connects to the VPN, a route to 10.0.0.0 255.0.0.0 is added to the routing table. If the user private IP address is in the 10.x.x.x range, the user can still connect to its LAN. However, if the user has a remote site that also uses 10.x.x.x, the user is no longer able to connect to the remote site because of the 10.0.0.0 new route added after the vpn connection is established.

10.0.0.0 255.0.0.0 On-link 10.16.135.217 281

10.0.0.0 255.0.0.0 10.0.0.1 10.16.135.217 100

10.16.135.217 255.255.255.255 On-link 10.16.135.217 281

danmoren · ‎09-13-2012

Thsi,

Can you please configure the pool like this:

ip local pool Subnet_10 10.16.1.10-10.16.1.254 mask 255.255.255.0

Test again and let me know the results.

Daniel Moreno

Please rate any posts you find useful

View solution in original post

Javier Portuguez · ‎09-12-2012

Hi Tshi,

This is an overlap issue, please check this post:

VPN issue when local lan IP matches Corp LAN IP

Let me know if you have any questions.

Thanks.

Portu.

Please rate any post you find useful.

Tshi M · ‎09-12-2012

Hi Javier,

Thanks for the quick reply. I don't think it's a similar issue as my remote users can still connect to their local LAN but are unable to connect to other remote network (10.64.177.x). Because the route 10.0.0.0 is injected once connected to the VPN, the users is no longer able to reach the 10.64.177.x network. He's still able to reach his 10.64.94.x local subnet. He has to add a manual route..

danmoren · ‎09-12-2012

Hello Tshi,

The way I see it, this is expected behavior.

If you are using split-tunneling with a 10.0.0.0/8 network, then all of the traffic for any 10.x.x.x network will be sent across the VPN client connection.

If you need to access the 10.64.177.X network but not across the VPN tunnel then basically you have two options:

1- You can use a more specific split-tunneling definition leaving the 10.64.177.X network out of it

2- You can use exclude-specified to exclude both your local network and the 10.64.177 of the VPN tunnel.

Please keep in mind that with the exclude specified the VPN client connection will behave in a very similar way as if you had tunnel-all, except that you can exclude some networks from going across the tunnel, ALL other traffic will go across the tunnel.

Here is an example of how to configure exclude-specified for the VPN clients:

group-policy X

split-tunnel-policy excludespecified

split-tunnel-network-list value Y

You will also need to check the "Allow Local LAN access" check-box in your VPN client.

Daniel Moreno

Please rate any post you find useful

Javier Portuguez · ‎09-12-2012

I thought you referred to an overlap issue, I apologize.

Agree with Daniel.

Tshi M · ‎09-12-2012

Hi Daniel,

At first I thought it could have been the split tunnel command but the command doesn't include the 10 network...

access-list RAVPN_Split_Tunnel standard permit 192.168.25.0 255.255.255.0

I will look into the exclude specified option...

Thanks,

danmoren · ‎09-12-2012

Hello Tshi,

Can you please send me the output of the "show run group-policy" of your ASA?

Please also connect the VPN client to your ASA as you normally do and then gather the "show vpn-sesssiondb remote". If there are more than one user connected at the time let me know what your username is, or just copy here the part for your connection.

Finally, please post the "route print" of your computer with the VPN client connected and disconnected.

Thanks.

Daniel Moreno

Please rate any posts you find useful

Tshi M · ‎09-13-2012

Hi Daniel,

group-policy CART-RA-VPN-GROUP internal

group-policy CART-RA-VPN-GROUP attributes

vpn-simultaneous-logins 2

vpn-idle-timeout 1440

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RAVPN_Split_Tunnel

Username : test_vpn Index : 30770

Assigned IP : 10.16.1.10 Public IP : 160.x.x.x

Protocol : IKE IPsecOverNatT

License : IPsec

Encryption : 3DES Hashing : MD5

Bytes Tx : 0 Bytes Rx : 0

Group Policy : CART-RA-VPN-GROUP Tunnel Group : CART-RA-VPN-GROUP

Login Time : 16:20:29 EDT Wed Sep 12 2012

Duration : 0h:03m:17s

Inactivity : 0h:00m:00s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

route print before:

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.64.94.254 10.64.94.87 50

10.64.94.0 255.255.255.0 10.64.94.87 10.64.94.87 50

10.64.94.87 255.255.255.255 127.0.0.1 127.0.0.1 50

10.255.255.255 255.255.255.255 10.64.92.87 10.64.94.87 50

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

224.0.0.0 240.0.0.0 10.64.94.87 10.64.94.87 50

255.255.255.255 255.255.255.255 10.64.94.87 10.64.94.87 1

Default Gateway: 10.64.94.254

===========================================================================

Persistent Routes:

None

route print after;

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.64.94.254 10.64.94.87 50

10.0.0.0 255.0.0.0 10.16.1.10 10.16.1.10 20

10.16.1.10 255.255.255.255 127.0.0.1 127.0.0.1 20

10.64.94.0 255.255.255.0 10.64.94.87 10.64.94.87 50

10.64.94.87 255.255.255.255 127.0.0.1 127.0.0.1 50

10.64.93.25 255.255.255.255 10.64.94.254 10.64.94.87 1

10.255.255.255 255.255.255.255 10.16.1.10 10.16.1.10 20

10.255.255.255 255.255.255.255 10.64.94.87 10.64.94.87 50

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.25.0 255.255.255.0 10.16.1.10 10.16.1.10 1

208.116.129.253 255.255.255.255 10.64.94.254 10.64.94.87 1

224.0.0.0 240.0.0.0 10.16.1.10 10.16.1.10 20

224.0.0.0 240.0.0.0 10.64.94.87 10.64.94.87 50

255.255.255.255 255.255.255.255 10.16.1.10 10.16.1.10 1

255.255.255.255 255.255.255.255 10.64.94.87 10.64.94.87 1

Default Gateway: 10.64.94.254

===========================================================================

Persistent Routes:

None

danmoren · ‎09-13-2012

Hello Tshi,

Thank you for the outputs.

The reason why I requested those outputs is because I wanted to make sure that your VPN client was getting the right group-policy with the properly split-tunnel ACL and that it was not getting a different group-policy with a different split-tunnel definition. This could happen depending on the authentication method you are using.

Based on this the user is getting the group-policy "CART-RA-VPN-GROUP" which has the split-tunnel ACL "RAVPN_Split_Tunnel". And according to one of your previous posts that ACL only contains this line:

access-list RAVPN_Split_Tunnel standard permit 192.168.25.0 255.255.255.0

And we can see the route in the "route print" that the VPN client is adding for that network:

192.168.25.0 255.255.255.0 10.16.1.10 10.16.1.10 1

However, I can also see the route you are talking about:

10.0.0.0 255.0.0.0 10.16.1.10 10.16.1.10 20

There is definitively no reason for the split-tunnel to add that route. So the only other reason I can think of for this issue is the pool mask that you defined.

Can you please post the result of the command "show run ip local pool"?

Thanks.

Daniel Moreno

Please rate any posts you find useful.

Tshi M · ‎09-13-2012

Hi Daniel,

Thanks for the reply...Below you will find the requested output. I'm starting to wonder if this is Cisco Client/Windows behavior. I am saying that because remote VPN users getting the 172.16.10.x IP addresses will see a route to 172.16.0.0 255.255.0.0 added to their route print after connecting to the VPN.

ip local pool CARTVPN 172.16.10.1-172.16.10.254

ip local pool Subnet_10 10.16.1.10-10.16.1.254

danmoren · ‎09-13-2012

Thsi,

Can you please configure the pool like this:

ip local pool Subnet_10 10.16.1.10-10.16.1.254 mask 255.255.255.0

Test again and let me know the results.

Daniel Moreno

Please rate any posts you find useful

Tshi M · ‎09-13-2012

Thanks much Daniel...

danmoren · ‎09-13-2012

I'm glad I could help.

Daniel Moreno

VPN client getting route to 10.0.0.0 while connected to Cisco VPN