cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4624
Views
0
Helpful
6
Replies

VPN Tunnel Default Gateway/Routing

Mohamed Hamid
Level 1
Level 1

Hi Guys

I have a similar network to the one explained in this document

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd805f0bd6.html

My vpn traffic is able to communicate with hosts behind my internal firewall however when a host behind the internal firewall tries to communcate with vpn client this is not working and I can see that traffic going down the default route for the ASA (to internet) rather than to the vpn client.

What routing setting do I need to add to get this working

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I would rather look at your specific setup than the one in the document.

Do you have a firewall and a separate VPN device?

What type of device(s) do you have and whats their software level?

You say that the VPN Clients are able to connect to the internal network but not the other way around? It would seem to me that the connectivity should not be the problem if you are already able to form connects in one way.

Are you sure that the problems is not with the actual VPN Client hosts? Perhaps they are blocking the connection attempts? Have not had to deal with this myself really as VPN Client connections typically arent used to enable connection forming in the direction you are asking. But I guess there are situations like that, but I dont usually run into anything like that.

How do you confirm that the traffic doesnt go to the VPN Client but rather the Internet directly?

- Jouni

Hi Jouni

Yes the VPN device is the ASA and the internal firewall is connected to the ASA.

I have created a tunnel default gateway to send vpn decrypted traffic to the internal firewall.

Cisco ASA 5500 series

Yeah I am sure its not the client issue has I have run a trace on the router that sits above the ASA and can see packets from the internal network reaching the router. This should not be the case as those packets should be routed to the client clients and not the router.

Mohamed

Hi,

Are both the VPN and FW device ASA firewalls?

Does the actual firewall have an interface which is connected to the VPN ASA and the VPN ASA has a default route for the traffic incoming from a VPN connection to be forwarded to the actual FW ASA and naturally FW ASA has a route towards the VPN ASA for the VPN pools/networks?

If so, I assume that the traffic from the LAN towards the VPN Client gets through the FW ASA to the VPN ASA but from the VPN ASA does not get encrypted but rather forwarded directly out the WAN interface of the VPN ASA?

- Jouni

Are both the VPN and FW device ASA firewalls?

No the FW is from a different vendor only the VPN gateway is an ASA

Does the actual firewall have an interface which is connected to the VPN ASA and the VPN ASA has a default route for the traffic incoming from a VPN connection to be forwarded to the actual FW ASA and naturally FW ASA has a route towards the VPN ASA for the VPN pools/networks?

Yes the firewall is connected directly to the cisco ASA

Yes the ASA has a default route to allow incoming connections from anywhere to establish the initial VPN connection

Yes the ASA has the tunnel default gateway set for VPN tunnels to send all vpn traffic down to the internal firewall

Yes the fiirewall has a route entry to send all traffic to the vpn subnet up to the ASA via the connected link

If so, I assume that the traffic from the LAN towards the VPN Client gets through the FW ASA to the VPN ASA but from the VPN ASA does not get encrypted but rather forwarded directly out the WAN interface of the VPN ASA?

Yes that is correct LAN traffic from  behind the internal firewall goes to the ASA and out the WAN port rather than to the VPN client, it is supposted to get encrypted and then sent to the real vpn ip or should it be able to communcate directly to the VPN IP address since the ASA already knows about the VPN ip address?

This is where I am rather confused and wondering if I need to configure special routing on the ASA to allow LAN traffic to access VPN clients on their IP

Mohamed

Hi,

If you use the command

show route

Can you see the VPN Client pool IP address in the listing?

Have you tried to do "packet-tracer" for the traffic destined to the VPN Client IP (when client is connected)

packet-tracer input tcp 12345

- Jouni

Hi there

No I am not seeing the VPN client pool IP in the listing.. would this becaue of the default tunnel gateway?

I did a packet trace and it tells me no packets are dropped. I am not sure if this is a realiable command as when I intiate traffic from the real server that does not work whereas the ASA claims the packet trace was successful

Regards

Mohamed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: