We have an ASA 5550. How do you put the statement for the inside default route? When I put the inside default route (route Inside 0.0.0.0 0.0.0.0 172.16.3.254 tunneled), I cannot get on the internet when I connect to Cisco VPN client with group policy techsupport (full tunnel). However, I can get on the internet with split-tunnel for splitunnel group policy. Attached is the config. Please let me know if you need additional information.
Do you have any suggestions?
After thinking carefully, even with ip pool configured with public ip address, as far as the connection is concern, I don't believe it will work.
Here is my logical thinking:
1) Say the pool is 188.8.131.52, it will reach the ASA, decrypted and sent to the Cat6k with tunnel default gateway set.
2) Cat6k will just reroute the traffic with the same source as 184.108.40.206. From the ASA points of view, 220.127.116.11 should be connected to the outside (where vpn is terminated) instead of inside, and ASA will think the source address is spoofed and dropped the packet.
3) Even if the ASA is allowed for example, 18.104.22.168 comes in the inside interface of the ASA, then goes out to the internet, and when it comes back, it will send the traffic out towards the outside interface to be encrypted back towards the VPN Client. However, this will cause TCP asymmetric issue as follows:
TCP SYN - from 22.214.171.124 (inside) towards outside
TCP SYN-ACK - from outside towards outside because 126.96.36.199 is routed out (since it's still clear text packet at this point, the tunnel default gateway will not take effect).
Since it's TCP asymmetric, ASA will drop the packet as ASA is a stateful firewall.
If you just configured the tiunnel default gateway purely to send traffic towards the Cat6k and return the traffic back to the ASA for internet traffic, that would not work.
Reason is because the NAT exemption configuration always takes precedence over the PAT, and since the default gateway for the internet traffic is back towards the ASA itself, than traffic will be NAT exempted, and with private ip address, internet traffic will not get anywhere.
If traffic is going in and out the outside interface of the ASA for vpn client internet traffic without the tunneled default gateway, it will work just fine because it doesn't traverse the inside interface where the NAT exemption is applied.
Hope that makes sense.
You don't need to configure route inside with the tunnelled keyword for the non split tunnel policy. With the current configuration, you should be able to access the Internet via the outside interface. Are you trying to send the internet traffic towards your internal internet gateway? Or the ASA outside interface would be the default gateway for the VPN Client internet traffic?