Remote VPN Access query

mukundh86 · ‎08-27-2011

Hi all

I have a ASA 5505 where users can remotely login through IPSec . They have cisco VPN client installed in their workstations. I am curious to know whether it is possible to direct only the VPN traffic to another port on the firewall after it gets authernticated by the firewall. There is a NAC server to which all the VPN traffic must go after being authenticated by the ASA.

Thanks

Mukundh

Mohammad Alhyari · ‎08-27-2011

HELLO ,

TO BE CLEAR , IPSEC VPN USES :

ISAKMP WHICH IS UDP PORT 500

ESP WHICH IS RIDES THE IP DATAGRAM

NAT-T UDP 4500 (WHICH WE SEE MOST OF THE TIME ENCAPSULATING ESP WITH REMOTE ACCESS VPN)

WHAT EXACTLY YOU NEED TO RE DIRECT :

USER TRAFFIC AFTER BEING DECRYPTED BY THE ASA?

IPSEC MANAGMENT TRAFFIC ?

THANKS !

mukundh86 · ‎08-27-2011

Hi

Thanks for the reply. I need to re direct user's decrypted traffic . Does it mean I will re direct user after he is authenticated and given a Ip address fron VPN pool?

raga.fusionet · ‎08-27-2011

Mukundh,

If you want to forward all the VPN decrypted traffic you would need to use a "tunnel default gateway".

Here is the syntax:

route 0.0.0.0 0.0.0.0 [] [tunneled]

e.g.:

route inside 0.0.0.0 0.0.0.0 10.1.1.15 tunneled

That would redirect all the the traffic that comes in thru the tunnels to the host 10.1.1.15. Notice that this will affect your Lan to Lan traffic too if you have any L2Ls configured.

I hope this helps.

Raga

mukundh86 · ‎08-28-2011

Hi Raga

There is no L2L traffic. The only IPSec traffic is the remote usersone. Again, to double verify, will the user be directed to the tunneled default gateway after getting an IP fron the VP-pool?

Mohammad Alhyari · ‎08-28-2011

Hi ,

so if you want to send ther decrypted traffic to that NAC server , then notice :

ASA doesn't support source based routing !

if you uses the tunnel option with the default route then this will affect the traffic that has no route in the routing table , so if your destination is a network in the inside then that route will not be used !

cheers.

mukundh86 · ‎08-28-2011

Hi

Actually the whole issue of directing the IPSec traffic to the NAC was known to us just minutes before putting ASA into production. Here are some points.

1. The VPN pool is 192.168.1.80-192.168.1.96.

2. Inside LAN is 192..168.1.0/24

3. There is a Cisco 3745 in the LAN whose IP is 192.168.1.54

4. NAC server is 192.168.1.33

Is it agood option to have the 192.168.1.54 as the tunneled default gateway and from there apply a route-map that has directs all IPSec traffic ( traffic having one of the IPs of VPN pool as source) to 192.168.1.33?

Thanks

Mohammad Alhyari · ‎08-28-2011

HI ,

SOUNDS VERY GOOD IDEA.

KEEP IN CONSIDERATION , WHEN THE VPN CLIENT ACCESS THE INTERNAL SUBNET 192.168.1.0 , FOR THE ASA THIS IS A DIRECTLY CONNECTED SUBNET , SO YOU NEED TO MANIPULATE THE ROUTING TABLE OF THE ASA .

@THE TUNNELED OPTION WILL ONLY BE USED WHEN THERE IS NO ROUTE TO THE DESTINATION EXIST IN THE ROUTING TABLE .

CHEERS!

mukundh86 · ‎08-28-2011

Hi

As of now, the ASA is also doing split tunneling for the VPN users.

So will this be affected when i put in a default gateway for tunneled VPN traffic. Also, how to override the directly connected route in the ASA ?

Or is there a way to make the ASA function as a NAC server itserlf?

Mohammad Alhyari · ‎08-29-2011

Hi ,

to ovveride a route just add a more specific route on the ASA !

to ovveride this :

192.168.10.0 /24 directly connected .

add

route inside 192.168.10.0/29 this will include the :

192.168.10.0 --------- 192.168.10.127.255

cheers.