×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How do I configure Remote Access VPNs to use a specific Interface and Route

Answered Question
Aug 13th, 2012
User Badges:

I am adding a second external connection to an existing system on an ASA 5510 with ASA V8.2 and ASDM 6.4

I added the new WAN using an other interface (newwan).


The intention is to route most internet traffic over the new route/interface (newwan) but keep our existing VPNs using the former interface (outside).

I used the ASDM GUI to make the changes and most of it works.

ie. The default route goes via (newwan)

     Outgoing VPNs of a site to site nature use the previous route via (outside) as they now have static routes to achieve this.


The only problem is that incomming Remote Access Anyconnect VPNs are not working.

I set the default static route to use the new interface (newwan) and the default tunneled route to be via (outside) but this is the point is goes wrong....


I can no longer ping the outside IP address from an external location.

It seems the outside interface does not send traffic back to the - outside interface (or at least that's where I think the problem lies). How do I force replies to the incomming VPN remote traffic from unknown IPs to go back out on the outside interface?


The only change I need to make to get everything working on the outside interface again is to make the Default Static route use the outside interface. Which puts all the internet traffic back on the original (outside) connection


Any pointers appreciated.

William

Correct Answer by Marcin Latosiewicz about 5 years 4 days ago

William,


As it is right now you will need to use same interface you have default route over to terminate remote access, unless you know their IPs.


In one of the designs I saw we did something like this.


(ISP cloud) ---- edge router ---- ASA.


On edge router you can perform PAT to router's inside interface for traffic incoming on port udp/500 and UDP/4500 (you might need to add exceptions for your static L2L). It's dirty, I would not say it's recommended, but apparently it was working.


On routers this sort of situation is easily remedied by using VRF-lite with crypto.


M.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Marcin Latosiewicz Tue, 08/14/2012 - 00:43
User Badges:
  • Cisco Employee,

William,


As it is right now you will need to use same interface you have default route over to terminate remote access, unless you know their IPs.


In one of the designs I saw we did something like this.


(ISP cloud) ---- edge router ---- ASA.


On edge router you can perform PAT to router's inside interface for traffic incoming on port udp/500 and UDP/4500 (you might need to add exceptions for your static L2L). It's dirty, I would not say it's recommended, but apparently it was working.


On routers this sort of situation is easily remedied by using VRF-lite with crypto.


M.

mcinroywood10 Thu, 08/16/2012 - 11:37
User Badges:

OK I took a different approach as a result of your message and got most of it working on the second interface except outgoing static VPNs as I could route them specifically via the existing interface. That all worked fine.


I got incoming IPsec working using the PAT forwarding as you suggested. Actually I quite like the approach as it means I can test more bits locally inside the Edge router yet outside the ASA.


However I couldn't get incoming AnyConnect clients to connect, though I tried to PAT port 443 it seemed to complain about the lack of an ACL for port 443, but I don't want to pass port 443 on to an other internal server I want the ASA to respond.


Can you tell what I am missing?


I can't recall how we generated the inital certificate for the Outside interface. Do I need one for the newwan interface?


W

Marcin Latosiewicz Thu, 08/16/2012 - 14:30
User Badges:
  • Cisco Employee,

William,


Do you have the exact error warning message you recived?  I understand that it popped during NAT config?


Also remember that Anyconnect is by default TCP and UDP port 443 (UDP being for DTLS).


M.

mcinroywood10 Thu, 08/16/2012 - 15:16
User Badges:

I had indeed forgotten about UDP 443, but unfortunately that wasn't the full solution.

The error was:

%ASA-3-710003: {TCP|UDP} access denied by ACL from 
source_IP/source_port to interface_name:dest_IP/service


with the description being: TCP access denied by ACL from /34803 to newwan:10.0.3.1/443


where 10.0.3.1 is the destination IP ie. the port on the ASA facing the edge router.

The error is from the ASA log viewer, so it must be getting through but as it says there is an ACL blocking something, though I can't see what.


William

Marcin Latosiewicz Thu, 08/16/2012 - 15:42
User Badges:
  • Cisco Employee,

Looks like the webvpn service is not running.

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp5849846


Indeed DTLS would not change anything, because it's only used once successful TCP sessions has been established.


If it's the problem is now with the webvpn service being running, open up a TAC case so they can have a look on the ASA what's missing.

mcinroywood10 Thu, 08/16/2012 - 16:25
User Badges:

No. You had already cracked it


I had put a static route in for the VPN allocated range to tie it to the original interface from my original concept

removing that route allowed the Remote Access VPN traffic to go on the default (newwan) route.


It (the error log) really was telling the truth.


Now I just need to replicate it when we go live.


THANK YOU VERY MUCH for your assistance.



Regards

William

Actions

This Discussion