06-15-2012 11:20 PM - edited 03-11-2019 04:20 PM
Hi,
ASA running 8.2(5).
When vpn clients connect with a ipsec vpn client configured as a zero tunnel route (0.0.0.0/0) the ASA logs the below:
Deny UDP reverse path check from 192.168.200.47 to 192.168.11.200 on interface HOSTING
192.168.200.0/24 is the subnet where the ipsec clients gets a ip address from when connecting.
192.168.11.200 in this case the the clients own local subnet. Is it expected that the ASA box will log these messages from clients local subnet when they are connected with ipsec vpn and it is a zero tunnel configuration?
Interfaces and routes:
Current available interface(s):
DATA-BACKUP Name of interface Redundant1.10
DMZ Name of interface Redundant1.900
GUEST Name of interface Redundant1.990
HOSTING Name of interface Redundant1.100
Infrastruktur Name of interface Redundant1.20
Intern Name of interface Management0/0
OUTSIDE-BACKUP Name of interface Redundant1.998
PHONE Name of interface Redundant1.200
SPECTRA-LAN Name of interface Redundant1.50
outside Name of interface Ethernet0/3
Gateway of last resort is 1.2.3.4 to network 0.0.0.0
C 172.31.0.0 255.255.255.0 is directly connected, DMZ
S 192.168.200.46 255.255.255.255 [1/0] via 1.2.3.4, outside
S 192.168.200.47 255.255.255.255 [1/0] via 1.2.3.4, outside
S VPN-hosting 255.255.255.0 [1/0] via 192.168.200.1, outside
C 93.167.197.80 255.255.255.240 is directly connected, outside
S 10.100.110.0 255.255.255.0 [1/0] via 10.100.110.1, outside
C 10.10.10.0 255.255.255.0 is directly connected, GUEST
C 10.100.100.0 255.255.255.0 is directly connected, Intern
S 10.100.101.0 255.255.255.0 [5/0] via 10.100.100.252, Intern
S 10.100.0.0 255.255.0.0 [10/0] via 10.100.100.252, Intern
C 10.200.100.0 255.255.252.0 is directly connected, PHONE
C 10.199.1.0 255.255.255.0 is directly connected, Infrastruktur
C 10.199.0.0 255.255.255.0 is directly connected, DATA-BACKUP
C 192.168.254.0 255.255.255.0 is directly connected, HOSTING
S* 0.0.0.0 0.0.0.0 [1/0] via 1.2.3.4, outside
S 192.168.0.0 255.255.0.0 [5/0] via 192.168.254.1, HOSTING
Regards
Robert
Solved! Go to Solution.
06-16-2012 08:52 PM
Yes, because you don't configure split tunnel, all traffic including local vpn client subnet will also be routed through the VPN tunnel. If your vpn client needs to access their own local LAN while connected to the VPN tunnel, then you would need to configure split tunnel.
06-16-2012 08:52 PM
Yes, because you don't configure split tunnel, all traffic including local vpn client subnet will also be routed through the VPN tunnel. If your vpn client needs to access their own local LAN while connected to the VPN tunnel, then you would need to configure split tunnel.
06-16-2012 11:52 PM
Thanks.
Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide