08-27-2011 10:03 AM
Hi all
I have a ASA 5505 where users can remotely login through IPSec . They have cisco VPN client installed in their workstations. I am curious to know whether it is possible to direct only the VPN traffic to another port on the firewall after it gets authernticated by the firewall. There is a NAC server to which all the VPN traffic must go after being authenticated by the ASA.
Thanks
Mukundh
08-27-2011 11:11 AM
HELLO ,
TO BE CLEAR , IPSEC VPN USES :
ISAKMP WHICH IS UDP PORT 500
ESP WHICH IS RIDES THE IP DATAGRAM
NAT-T UDP 4500 (WHICH WE SEE MOST OF THE TIME ENCAPSULATING ESP WITH REMOTE ACCESS VPN)
WHAT EXACTLY YOU NEED TO RE DIRECT :
USER TRAFFIC AFTER BEING DECRYPTED BY THE ASA?
IPSEC MANAGMENT TRAFFIC ?
THANKS !
08-27-2011 06:28 PM
Hi
Thanks for the reply. I need to re direct user's decrypted traffic . Does it mean I will re direct user after he is authenticated and given a Ip address fron VPN pool?
08-27-2011 10:44 PM
Mukundh,
If you want to forward all the VPN decrypted traffic you would need to use a "tunnel default gateway".
Here is the syntax:
route
e.g.:
route inside 0.0.0.0 0.0.0.0 10.1.1.15 tunneled
That would redirect all the the traffic that comes in thru the tunnels to the host 10.1.1.15. Notice that this will affect your Lan to Lan traffic too if you have any L2Ls configured.
I hope this helps.
Raga
08-28-2011 09:10 AM
Hi Raga
There is no L2L traffic. The only IPSec traffic is the remote usersone. Again, to double verify, will the user be directed to the tunneled default gateway after getting an IP fron the VP-pool?
08-28-2011 06:55 AM
Hi ,
so if you want to send ther decrypted traffic to that NAC server , then notice :
ASA doesn't support source based routing !
if you uses the tunnel option with the default route then this will affect the traffic that has no route in the routing table , so if your destination is a network in the inside then that route will not be used !
cheers.
08-28-2011 09:17 AM
Hi
Actually the whole issue of directing the IPSec traffic to the NAC was known to us just minutes before putting ASA into production. Here are some points.
1. The VPN pool is 192.168.1.80-192.168.1.96.
2. Inside LAN is 192..168.1.0/24
3. There is a Cisco 3745 in the LAN whose IP is 192.168.1.54
4. NAC server is 192.168.1.33
Is it agood option to have the 192.168.1.54 as the tunneled default gateway and from there apply a route-map that has directs all IPSec traffic ( traffic having one of the IPs of VPN pool as source) to 192.168.1.33?
Thanks
08-28-2011 10:03 AM
HI ,
SOUNDS VERY GOOD IDEA.
KEEP IN CONSIDERATION , WHEN THE VPN CLIENT ACCESS THE INTERNAL SUBNET 192.168.1.0 , FOR THE ASA THIS IS A DIRECTLY CONNECTED SUBNET , SO YOU NEED TO MANIPULATE THE ROUTING TABLE OF THE ASA .
@THE TUNNELED OPTION WILL ONLY BE USED WHEN THERE IS NO ROUTE TO THE DESTINATION EXIST IN THE ROUTING TABLE .
CHEERS!
08-28-2011 11:44 AM
Hi
As of now, the ASA is also doing split tunneling for the VPN users.
So will this be affected when i put in a default gateway for tunneled VPN traffic. Also, how to override the directly connected route in the ASA ?
Or is there a way to make the ASA function as a NAC server itserlf?
08-29-2011 01:57 AM
Hi ,
to ovveride a route just add a more specific route on the ASA !
to ovveride this :
192.168.10.0 /24 directly connected .
add
route inside 192.168.10.0/29 this will include the :
192.168.10.0 --------- 192.168.10.127.255
cheers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide