How can I specify a default gateway for AnyConnect users with a local IP pool?

Answered Question
Nov 20th, 2009

Hi all,

This question pertains to my ASA5510 running 8.0(4) software.

For several of my AnyConnect group policies, I am using a local IP pool to assign addresses to the remote clients.  The pool is 10.1.50.1 - 10.1.50.250.  The problem is that when the clients connect, they are getting a default gateway of 10.1.0.1  This would be OK in a properly configured network, but this isn't really one of those.

I don't think there is anyplace where I can specify the default gateway, is there?  What's the proper way to work around this?

Thanks in advance,

- Steve

Correct Answer by mopaul about 7 years 2 months ago

Hi ,


Check this out...


Ethernet adapter Cisco AnyConnect VPN Client Connection:

        Connection-specific DNS Suffix  . : vcnynt.com

        Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows

        Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00

        Dhcp Enabled. . . . . . . . . . . : No

        IP Address. . . . . . . . . . . . : 10.1.50.1

        Subnet Mask . . . . . . . . . . . : 255.255.0.0 <<<<<<<< Subnet mask is /16.

        Default Gateway . . . . . . . . . : 10.1.0.1


10.1.50.1 is a part of 10.1.0.0 subnet. By design, to make VPN client routing compatible with the Vista machines. We had changed the ip address assigment for DG on the client. This had been noticed that if you have the same ip of DG as the virtual adapter's ip address it won't work. So what you are seeing is the right behavior.


In other words, Anyconnect will show the first ip address of the subnet as the DG which in your case is 10.1.0.1 .




HTH...


Regards

M


P.S : For all users whenever you post your questions and the solution given to you works, please make sure you rate it. That helps other users with same query to get their answers in less time rather posting a new thread for same thing and waiting for answers. This saves time for both author and the person who replies to it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mopaul Sat, 11/21/2009 - 10:41

Hey,


There is no way you can push or configure DG on clients (be it Anyconnect or Ipsec). By design it works as :-


Split tunneling enabled :-  You would see NO DG in ipconfig /all on VPN adapter

Split tunneling disable :- Either first ip from pool or client's ip addr will be seen as  the DG


From a pool of 10.1.50.1 - 10.1.50.250 ... with split disable you should see DG either as 10.1.50.1 or the ip assigned to your client by local pool on ASA.


Seeing a DG that too out of the pool sounds weird. Are you sure that you dint make typo in your post , i mean its 10.1.50.1 and not 10.1.0.1



Regards

M

rstevek Mon, 11/23/2009 - 07:47

Hi,

Thanks very much, but it was not a typo.  I've attached a screenshot showing the IP address assigned to me by the AnyConnect client, and here's the output of ipconfig /all:


Windows IP Configuration

        Host Name . . . . . . . . . . . . : 154chris-net-is
        Primary Dns Suffix  . . . . . . . : vcnynt.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : vcnynt.com
                                            vcnynt.com
                                            momentumaidsproject.org

Ethernet adapter Wireless Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Network Connection
        Physical Address. . . . . . . . . : 00-1C-BF-99-E8-35

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
        Physical Address. . . . . . . . . : 00-1B-38-B9-03-A2
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 68.167.16.171
        Subnet Mask . . . . . . . . . . . : 255.255.255.248
        Default Gateway . . . . . . . . . :
        DHCP Server . . . . . . . . . . . : 68.167.16.169
        DNS Servers . . . . . . . . . . . : 64.105.124.155
                                            64.105.159.251
        Lease Obtained. . . . . . . . . . : Monday, November 23, 2009 9:58:23 AM
        Lease Expires . . . . . . . . . . : Monday, November 23, 2009 10:58:23 AM

Ethernet adapter Cisco AnyConnect VPN Client Connection:

        Connection-specific DNS Suffix  . : vcnynt.com
        Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
        Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.1.50.1
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . : 10.1.0.1
        DNS Servers . . . . . . . . . . . : 10.1.2.80
                                            10.1.2.180

Thanks,

- Steve

Attachment: 
Correct Answer
mopaul Mon, 11/23/2009 - 09:33

Hi ,


Check this out...


Ethernet adapter Cisco AnyConnect VPN Client Connection:

        Connection-specific DNS Suffix  . : vcnynt.com

        Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows

        Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00

        Dhcp Enabled. . . . . . . . . . . : No

        IP Address. . . . . . . . . . . . : 10.1.50.1

        Subnet Mask . . . . . . . . . . . : 255.255.0.0 <<<<<<<< Subnet mask is /16.

        Default Gateway . . . . . . . . . : 10.1.0.1


10.1.50.1 is a part of 10.1.0.0 subnet. By design, to make VPN client routing compatible with the Vista machines. We had changed the ip address assigment for DG on the client. This had been noticed that if you have the same ip of DG as the virtual adapter's ip address it won't work. So what you are seeing is the right behavior.


In other words, Anyconnect will show the first ip address of the subnet as the DG which in your case is 10.1.0.1 .




HTH...


Regards

M


P.S : For all users whenever you post your questions and the solution given to you works, please make sure you rate it. That helps other users with same query to get their answers in less time rather posting a new thread for same thing and waiting for answers. This saves time for both author and the person who replies to it.

rstevek Mon, 11/23/2009 - 10:22

Hi,

Thanks again.  I guess I wasn't clear.  I know that 10.1.0.1 is the first address in our class B.  That goes to back to what I said about how this would be OK if this was a properly configured network.

I guess if there's no way to change the gateway for the AnyConnect clients, I should reconfigure the network.  10.1.0.1 was assigned to a workstation by DHCP, but that's easily fixed and I can put it as a secondary address on the gateway.

Thanks,

- Steve

mopaul Mon, 11/23/2009 - 12:07

Hi,


Well thats correct there is no way to change the DG as its hardcoded on the clients. Thats why even Cisco does not recommend to overlapping subnets across the tunnel, be it a site to site or VPN clients. In case of latter, pool is not recommended to be a part of same subnet as the internal LAN behind the VPN terminating device.


HTH...


Regards

M

Actions

This Discussion