VPN Router design advice

Unanswered Question
Mar 12th, 2010
User Badges:

I am replacing a 3015 concentrator with a 2801 sec-bundle router.     The public interface of the concentrator sits in the 'public dmz' of our ASA.  The private interface of the concentrator sits in an internal dmz on of the ASA.     I currently have the 2801 connected similarly, with one interface in each dmz. The router's default gatway is out the 'public' side, and it has static routes that point to all of our internal networks through the 'private' side.  This is working fine for all of our lan-to-lan tunnels.

My problem is with AnyConnect SSL clients, specifically when a remote user tries to connect to the internet.  Because the router's default gateway points out the 'public' side, the remote user's internet traffic is going out the 'public' side of the router and hitting the public dmz interface of our ASA.  Even if I allow that traffic out, the ASA will try to route the return traffic to the remote users via the internal interface, because of the subnet that I'm terminating the remote clients on.   With  the concentrator and the IPSec client, there is a 'tunnel default gatway' option that lets me point all the remote user traffic at the internal side of the ASA.  Unfortunately, that option does not appear to exist for the SSL client. 

One option I am considering is eliminating one leg of the router.  If I force all traffic in/out through one side, then I won't have this problem.  Another option is to setup a new subnet for the remote access clients that is always routed throught the public interface.    Alternatively, I could just allow split tunneling by the clients, but I would rather not do that.    Are there other options that I'm not seeing?   Does anyone have a recommendation on which way to go?

I will attach a digaram.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Fri, 03/12/2010 - 08:15
User Badges:
  • Green, 3000 points or more


If I understand, the problem is that remote clients terminate on the ASA, but they are routed to the router, which default gateway points to the DMZ of the ASA, and that's why it is not working.

Couldn't you provide the Anyconnect SSL VPN clients with Internet access without reaching the internal router? I mean, the same ASA will terminate the remote VPN client connections and provide them with Internet access via the same outside interface in which it receive the clients.


b-hayes Fri, 03/12/2010 - 08:20
User Badges:

No, the tunnels and remote access clients are all terminated on the 2801. 

Federico Coto F... Fri, 03/12/2010 - 08:23
User Badges:
  • Green, 3000 points or more

Wouldn't it be better to terminate the VPNs on the ASA?

Of there's a restriction that you cannot do that?


b-hayes Fri, 03/12/2010 - 13:55
User Badges:

I prefer to keep the VPN tunnels separated from the ASA.  It mimics

what we had before with the 3015 concentrator, and makes it less likely that a misconfigured crypto map could affect traffic on the ASA.

Federico Coto F... Fri, 03/12/2010 - 14:17
User Badges:
  • Green, 3000 points or more

In that case, the ASA supports asymmetric routing in versions 8.2(1) and later.

This feature is commonly used in Active/Active Failover scenarios, but it supports grouping interface on the same unit
to continue handling packets for which it has no session information. I believe it only works for A/A failover, but take a look:


If this does not work, then you will have to use one of the options that you described on your original post.



This Discussion