IPSec Tunnel Default Gateway Issue

Unanswered Question
Mar 31st, 2010

We have a cymphonix web filter appliance that bridges between the internal network and the ASA Firewall.

I have a couple of sites on L2L VPN's I'd like teh web traffic routed through the Cymphonix device, which means pushing out the inside interface and letting it bounch back out through the "proper" channels.  The simplest way I could think of was to set the Tunnel gateway address to my internal main router.  However, when I do this my remote VPN sites lose internet access (tunnel stays available for local traffic).  Right now the remote sites access the internet directly through the outside interface of the ASA.  See below cfg snippet, other site is configured identically.

access-list PVL_VPN extended permit ip any

access-list nonat extended permit ip any

nat (Outside) 1

route Outside 1

Will my intended scenario work at all?  Seemed simple enough, change the gateway to an internal router with a route back out.  But in practice it isn't as easy.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Wed, 03/31/2010 - 11:16


When you configured a tunnel default gateway on the ASA, it will send all encrypted traffic to that gateway (internal router).

This will disrupt Internet access for remote VPNs (if not using split tunneling).

The solution as you mentioned, is to have a route back out on the internal router pointing to the Internet again (at least for the VPN clients).

What is the problem that you see with implementing this?


cceaton01 Wed, 03/31/2010 - 11:23

I assumed the default route on my internal router would handle this.  It points back to the inside interface of the ASA which should send any traffic back through the Cymphnix box and out to the internet.  But this isn't what happened.

Federico Coto F... Wed, 03/31/2010 - 11:40

If the internal router has a default route pointing to the ASA, and the ASA has a default gateway to the Internet it should work... but check the following...

If the traffic from the remote VPN clients are terminating on the ASA and then send to the internal router, the internal router will send them back to the ASA to the Internet.

The ASA should have a NAT statement that allows the pool of VPN client addresses to get NATed to the Internet.

Let's say the pool of VPN addresses is: 10.x.x.x/24

So, when traffic from 10.x.x.x/24 is getting back to the inside interface of the ASA (from the internal router), the ASA should be able to NAT this traffic:

nat (inside) 1 10.x.x.0

global (outside) 1 interface

I believe the traffic from the remote VPN clients are getting to the tunnel default gateway, back to the ASA, and then die? Is this happening?

If this is so, check the NAT configuration on the ASA.

If the problem persists, please let us know where does the traffic seem to stop.


cceaton01 Wed, 03/31/2010 - 11:43

I just turned on some debugging on me internal router to see if I could see packets coming from my VPN location to the internal router and I could not.  NAT is set up correctly for outgoing connections, my 14 other non-vpn sites are fine.  VPN sites are fine until I change the gateway.  Very strange.

Federico Coto F... Wed, 03/31/2010 - 11:50

Is there an outbound ACL on the inside interface of the ASA preventing the VPN traffic to reach the inside router?

You might want to try a traceroute from the VPN client when going to the Internet and see if the traffic reaches the internal router.

If the traffic is not reaching the internal router, could you verify if the ASA is sending that traffic to the internal router?

You can do this with an ACL applied outbound to the inside interface of the ASA, for example:

access-list test-vpn permit ip 10.x.x.0 any

access-list test-vpn permit ip any any

access-group test-vpn out interface inside

If doing a ''sh access-list test-vpn'' you see hitcounts on the first line, you know the ASA is sending the traffic from the remote clients to the inside router.

We will need to determine why you don't see this traffic reaching the router itself.

If you don't see hitcounts, most likely the ASA is rerouting the traffic backout another interface, or dropping the traffic.

Which case it is?


cceaton01 Wed, 03/31/2010 - 12:34

You were right... it should work.... that is if the dummy who is configuring it applies the tunnel gateway on the correct interface!  I realized after banging my head against the wall, that I should be applying the gateway to the INSIDE interface, not the OUTSIDE interface.  I switched and "VIOLA!" filtered web access!  It always helps to apply things to the correct interfaces!

teater Tue, 06/08/2010 - 21:50

I am trying to do the same thing.  I have not yet placed my web filter inline pending my testing.  I have a layer 3 switch on the inside interface of my ASA and it has a default route to the ASA.

My VPN clients are in pool

My inside network is and,  the inside interface is named APP

My outside PAT address for is 62.x.x.62

Layer 3 switch IP:

ASA inside interface is

ASA configuration snippets:

! Route statements in ASA:

route Public y.y.y.y 1  !  (y.y.y.y is my real outside address, 62.x.x.0/64 is a routed network to y.y.y.y)
route APP tunneled
route APP APP-network 1
route APP Internal-network 1

APP-network =

Internal-network =

! Last statement of APP_access_in ACL which allows my VPN addresses to pass through from the inside (APP) to anywhere:

access-list APP_access_in extended permit ip any

! NAT Exempt inside (APP) when communicating with (includes VPN clients)

access-list APP_nat0_outbound extended permit ip Internal-network

global (Public) 2 62.x.x.62 netmask

nat (Public) 2    ! NAT the VPN client

GUI log messages:

6|Jun 08 2010|23:46:28|302020||0||7|Built inbound ICMP connection for faddr gaddr 62.xxx.xxx.62/5 laddr
6|Jun 08 2010|23:46:28|302020||7||0|Built outbound ICMP connection for faddr gaddr 62.xxx.xxx.62/5 laddr

It looks as if my ping goes out and comes back but (VPN client) does not see the echo reply.   If I remove the tunneled route, I do get the replies

no route APP tunneled

So, it appears I am going from VPN Client -> ASA -> inside layer 3 switch -> ASA -> -> ASA -> drops

Based on my SHOW XLATE and the above log message, I am translating to 62.xxx.xxx.62.

Any help why my VPN client cannot communicate with the Internet?

Could anyone post/send me a working config (sanitized, of course)?


This Discussion