Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2593
Views
0
Helpful
5
Replies

Inside Default Route

Go to solution
debra-brown
Level 1
Level 1

‎07-07-2010 09:44 PM

We have an ASA 5550. How do you put the statement for the inside default route?  When I put the inside default route (route Inside 0.0.0.0 0.0.0.0 172.16.3.254 tunneled), I cannot get on the internet when I connect to Cisco VPN client with group policy techsupport (full tunnel).  However, I can get on the internet with split-tunnel for splitunnel group policy.  Attached is the config.  Please let me know if you need additional information.

Do you have any suggestions?

Thanks.

Labels:
68864-ciscoasa.txt.zip
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-07-2010 09:55 PM

You don't need to configure route inside with the tunnelled keyword for the non split tunnel policy. With the current configuration, you should be able to access the Internet via the outside interface. Are you trying to send the internet traffic towards your internal internet gateway? Or the ASA outside interface would be the default gateway for the VPN Client internet traffic?

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to debra-brown

‎07-08-2010 02:57 PM

If you just configured the tiunnel default gateway purely to send traffic towards the Cat6k and return the traffic back to the ASA for internet traffic, that would not work.

Reason is because the NAT exemption configuration always takes precedence over the PAT, and since the default gateway for the internet traffic is back towards the ASA itself, than traffic will be NAT exempted, and with private ip address, internet traffic will not get anywhere.

If traffic is going in and out the outside interface of the ASA for vpn client internet traffic without the tunneled default gateway, it will work just fine because it doesn't traverse the inside interface where the NAT exemption is applied.

Hope that makes sense.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to debra-brown

‎07-08-2010 06:59 PM

After thinking carefully, even with ip pool configured with public ip address, as far as the connection is concern, I don't believe it will work.

Here is my logical thinking:

1) Say the pool is 200.1.1.1, it will reach the ASA, decrypted and sent to the Cat6k with tunnel default gateway set.

2) Cat6k will just reroute the traffic with the same source as 200.1.1.1. From the ASA points of view, 200.1.1.1 should be connected to the outside (where vpn is terminated) instead of inside, and ASA will think the source address is spoofed and dropped the packet.

3) Even if the ASA is allowed for example, 200.1.1.1 comes in the inside interface of the ASA, then goes out to the internet, and when it comes back, it will send the traffic out towards the outside interface to be encrypted back towards the VPN Client. However, this will cause TCP asymmetric issue as follows:

TCP SYN - from 200.1.1.1 (inside) towards outside

TCP SYN-ACK - from outside towards outside because 200.1.1.1 is routed out (since it's still clear text packet at this point, the tunnel default gateway will not take effect).

Since it's TCP asymmetric, ASA will drop the packet as ASA is a stateful firewall.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-07-2010 09:55 PM

You don't need to configure route inside with the tunnelled keyword for the non split tunnel policy. With the current configuration, you should be able to access the Internet via the outside interface. Are you trying to send the internet traffic towards your internal internet gateway? Or the ASA outside interface would be the default gateway for the VPN Client internet traffic?

0 Helpful

Go to solution
debra-brown
Level 1
Level 1
In response to Jennifer Halim

‎07-08-2010 07:12 AM

Thanks Halijenn for your prompt response and information.  My ASA outside interface is the default gateway for the VPN client internet traffic. Is it possible to configure the default inside route and get on the internet with full tunnel?  Is it normal that people configure the default inside route with full tunnel?  I need to configure the default inside route because there are some networks that are configured on the Cisco 6500 and do not have the static routes on the ASA.  When the ASA does not have static routes, I want the ASA to check with the Cisco 6500 (inside networks) first, then the firewall. 

Please let me know if you have any questions or need additional information.

Thanks.

Debra

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to debra-brown

‎07-08-2010 02:57 PM

If you just configured the tiunnel default gateway purely to send traffic towards the Cat6k and return the traffic back to the ASA for internet traffic, that would not work.

Reason is because the NAT exemption configuration always takes precedence over the PAT, and since the default gateway for the internet traffic is back towards the ASA itself, than traffic will be NAT exempted, and with private ip address, internet traffic will not get anywhere.

If traffic is going in and out the outside interface of the ASA for vpn client internet traffic without the tunneled default gateway, it will work just fine because it doesn't traverse the inside interface where the NAT exemption is applied.

Hope that makes sense.

0 Helpful

Go to solution
debra-brown
Level 1
Level 1
In response to Jennifer Halim

‎07-08-2010 05:58 PM

Halijenn,

Thanks for your prompt response and information.  May I ask you another question since you know so much?  If I use public IP address instead of private IP address, will I be able to configure the default inside route and get on the internet with full tunnel?

Thanks.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to debra-brown

‎07-08-2010 06:59 PM

After thinking carefully, even with ip pool configured with public ip address, as far as the connection is concern, I don't believe it will work.

Here is my logical thinking:

1) Say the pool is 200.1.1.1, it will reach the ASA, decrypted and sent to the Cat6k with tunnel default gateway set.

2) Cat6k will just reroute the traffic with the same source as 200.1.1.1. From the ASA points of view, 200.1.1.1 should be connected to the outside (where vpn is terminated) instead of inside, and ASA will think the source address is spoofed and dropped the packet.

3) Even if the ASA is allowed for example, 200.1.1.1 comes in the inside interface of the ASA, then goes out to the internet, and when it comes back, it will send the traffic out towards the outside interface to be encrypted back towards the VPN Client. However, this will cause TCP asymmetric issue as follows:

TCP SYN - from 200.1.1.1 (inside) towards outside

TCP SYN-ACK - from outside towards outside because 200.1.1.1 is routed out (since it's still clear text packet at this point, the tunnel default gateway will not take effect).

Since it's TCP asymmetric, ASA will drop the packet as ASA is a stateful firewall.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents