Weird gateway on VPN client side using AnyConnect VPN

miles0001 · ‎07-23-2013

Hi folks,

ASA 5512-X, ver. 9.1(2). Internal network 192.168.0.0/16, internal gateway (ASA inside) 192.168.0.101, AnyConnect VPN clients get their addresses from a Windows 2008 DHCP server.

I've got the AnyConnect VPN tunnel connecting, but problem is, that the route that is pushed to the VPN client is completely wrong, 192.168.0.1. This IP address is not defined anywhere in the ASA, nor in the whole network. The route that should be pushed instead, is the address of the ASA inside interface, that is 192.168.0.101. This implies that only the ASA itself is reachable when AnyConnect is active.

What's wrong here? Where can I define the gateway that should be pushed to the VPN client?

Another question is, why does the VPN client software replace the default gateway? I don't want all my traffic to go through the VPN tunnel, only traffic destined for the corporate network (that is traffic to 192.168.0.0/16).

Anybody got any ideas?

Best regards,

Peter

Azubuike Obiora · ‎07-23-2013

Hi,

Can we see your ip pool address configs? as well full config of your anyconnect that might help with a more logical reasoning.

Cheers.

Teddy

miles0001 · ‎07-23-2013

Hi Teddy,

The address pool, or absence of any address pool, hasn't got any effect. I'm getting addresses from the corporate DHCP server (see my post above). The problem here is that the route that's pushed to the VPN client is wrong. The default gateway is terribly wrong. There can be no conflict with my remote network, as that is a 172.16.0.0/24 network. The relevant parts of my configuration is also appended below.

Thansk for your input.

Peter

Ethernet adapter Cisco AnyConnect VPN Client Connection:

Connection-specific DNS Suffix . : mylocaldomain.local

Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64

Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.128.13

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.201

: Saved

: Written by admin at 14:55:01.180 CEDT Tue Jul 23 2013

: Call-home enabled from prompt by enable_15 at 07:35:43 UTC Jul 13 2013

!

ASA Version 9.1(2)

!

hostname mygate

domain-name mylocaldomain.local

names

ip local pool VPNClientAddresses 192.168.128.1-192.168.144.254 mask 255.255.0.0

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 95.xxx.xxx.xxx 255.xxx.xxx.xxx

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.0.101 255.255.0.0

!

----

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.0.201

name-server 78.xxx.xxx.xxx

name-server 78.xxx.xxx.yyy

domain-name mylocaldomain.local

same-security-traffic permit intra-interface

object network smtpservices

object network Server_Mail

host 192.168.0.212

object service SSH_Service

service tcp destination eq ssh

object service SMTP_Service

service tcp destination eq smtp

object network Diagserver

host 192.168.0.213

object network diagextip

host 78.110.208.42

object network Servicehelper

host 192.168.0.213

object service OpenVPN_Custom

service udp destination eq 19455

object network FakeSSH

host 192.168.0.213

object-group service OpenVPN-custom udp

port-object eq 19455

object-group service VirtualSSH tcp

port-object eq 18871

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group icmp-type DM_INLINE_ICMP_1

icmp-object time-exceeded

icmp-object traceroute

icmp-object unreachable

object-group network DM_INLINE_NETWORK_1

network-object 10.0.1.0 255.255.255.0

network-object 10.0.2.0 255.255.255.0

network-object 10.0.3.0 255.255.255.0

access-list outside_access_in extended permit object SMTP_Service any object Server_Mail

access-list outside_access_in extended permit tcp any object Diagserver eq www

access-list outside_access_in extended permit tcp any object Servicehelper eq ssh

access-list outside_access_in extended permit udp any object Servicehelper eq 19455

access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1

access-list inside_access_in extended permit ip any any

access-list tcp_bypass extended permit ip any object-group DM_INLINE_NETWORK_1

access-list AnyConnect_Client_Local_Print extended permit ip any4 any4

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo outside

icmp permit any outside

icmp permit any echo-reply outside

icmp permit any time-exceeded outside

icmp permit any unreachable outside

icmp deny any outside

!

object network Server_Mail

nat (inside,outside) static interface service tcp smtp smtp

object network Diagserver

nat (inside,outside) static diagextip service tcp www www

object network Servicehelper

nat (inside,outside) static interface service udp 19455 19455

object network FakeSSH

nat (inside,outside) static interface service tcp ssh 18871

!

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 95.xxx.xxx.yyy 1

route inside 10.0.1.0 255.255.255.0 192.168.0.213 1

route inside 10.0.2.0 255.255.255.0 192.168.0.213 1

route inside 10.0.3.0 255.255.255.0 192.168.0.213 1

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 inside

no vpn-addr-assign aaa

no vpn-addr-assign local

no ipv6-vpn-addr-assign aaa

no ipv6-vpn-addr-assign local

webvpn

enable outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect profiles MainVPN_client_profile disk0:/MainVPN_client_profile.xml

anyconnect enable

tunnel-group-list enable

keepout "Forbidden"

group-policy DfltGrpPolicy attributes

dns-server value 192.168.0.201 78.xxx.xxx.xxx

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

default-domain value mylocaldomain.local

group-policy GroupPolicy_MainVPN internal

group-policy GroupPolicy_MainVPN attributes

wins-server none

dns-server value 192.168.0.201 78.xxx.xxx.xxx

vpn-tunnel-protocol ikev2 ssl-client

default-domain value mylocaldomain.local

webvpn

anyconnect profiles value MainVPN_client_profile type user

tunnel-group DefaultRAGroup general-attributes

dhcp-server 192.168.0.201

tunnel-group DefaultRAGroup webvpn-attributes

authentication aaa certificate

tunnel-group DefaultWEBVPNGroup webvpn-attributes

authentication certificate

tunnel-group MainVPN type remote-access

tunnel-group MainVPN general-attributes

address-pool TempPool

default-group-policy GroupPolicy_MainVPN

dhcp-server 192.168.0.201

scep-enrollment enable

username-from-certificate use-entire-name

tunnel-group MainVPN webvpn-attributes

group-alias MainVPN enable

tunnel-group-map enable rules

!

class-map global-class

match default-inspection-traffic

class-map inspection_default

match default-inspection-traffic

class-map tcp_bypass

match access-list tcp_bypass

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect xdmcp

inspect rsh

inspect rtsp

inspect esmtp

inspect sunrpc

inspect netbios

policy-map global-policy

class global-class

inspect icmp

inspect dns

inspect ftp

inspect esmtp

inspect icmp error

policy-map tcp_bypass_policy

class tcp_bypass

set connection advanced-options tcp-state-bypass

!

service-policy global-policy global

service-policy tcp_bypass_policy interface inside

smtp-server 192.168.0.212

miles0001 · ‎07-23-2013

Forgot to activate the address pool

Peter

Azubuike Obiora · ‎07-23-2013

Hi Peter!

Sorry for responding late! But I should say from your last post you have it resolved now. I'm glad if that is the case! because theres just a lot to do sometimes we forget the nitigrities that needs to be looked into very well.

I've been in that possition too! I forgot to do same as the address pool you did! My case was that i couldn't even get an IP that was something that just give me an indication that I am missing the address pool

Have a great one mate!

Cheers

Teddy