Solved: route inside 0.0.0.0 0.0.0.0 tunneled

mahesh18 · ‎01-10-2014

Hi Everyone,

On ASA which is running RA VPN.

Why we will use this command

route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled?

Regards

Mahesh

Jouni Forss · ‎01-10-2014

Hi Mahesh,

To my understanding a "tunneled" "route" is simply meant to tell the ASA to forward all traffic inbound from a VPN connection straight to another device.

We for example use this on an ASA Failover pair that is simply meant to serve as a VPN device. This "tunneled" default route forwards all traffic from the VPN connections to an actual Firewall device (ASA too) that handles NAT/ACL and other things.

It provides an easy way to define a separate default route for the traffic incoming from VPN connections towards internal networks since the device itself needs the normal default route for the VPN connections return traffic which are formed from the external network.

- Jouni

View solution in original post

Jon Marshall · ‎01-10-2014

Mahesh

It used to set the default tunnel gateway for VPN traffic. So in effect it allows you to have two default routes on your ASA ie. if a packet arrives at the ASA the routing table is consulted. If there is no specific match then if there is a default route it will be used.

But you may want your VPN traffic to use a different default route than your non VPN traffic. If you add the "tunneled" option then that default route only applies to encrpyted traffic arriving on the ASA. This means you can have two default routes, one for VPN traffic only and one for non VPN traffic.

Jon

View solution in original post

Jouni Forss · ‎01-10-2014

Hi,

What do you mean?

The "route 0 0 tunneled" is meant to forward traffic from VPN to some other device that routes it again to the correct destination.

I imagine you mean that your route points to a L3 switch doing routing?

- Jouni

View solution in original post

Jouni Forss · ‎01-10-2014

Hi,

According to what you tell us it seems to me that this device is also a VPN ASA only? I mean that its used for VPN purposes only while there is another ASA behind it in the internal network that does the actual firewalling (NAT/ACL/etc)?

To my understanding the VPN Client/User connected to this ASA will use the Static routes for the specific networks if the user tries to connect some destination address mentioned by those routes. If it doesnt match those static routes then it will use the "tunneled" default route. But since the gateway is the same that means traffic from the VPN connections are always forwarded to the device 192.168.50.1

The traffic from the VPN ASA to the Internal ASA wont be encrypted.

The "tunneled" parameter doesnt mean that the traffic is encrypted. It just refers to the fact the "route" command used is used to forward traffic incoming from a VPN connection.

- Jouni

View solution in original post

Jon Marshall · ‎01-10-2014

Mahesh

Here you have a default route for non VPN traffic ie. general internet access and this points to next hop reachable via the outside interface. But you want to send any VPN traffic to a different destination ie. 192.168.50.1 which is another ASA.

The way i understand this is that if you connect via VPN to the ASA then once the traffic is decrypted it will use the "tunneled" route to send traffic to the internal ASA.

As far as i know all VPN traffic is decrypted on the first ASA ie. no traffic is sent on as encrypted traffic and you can check this because i suspect your internal ASA is not terminating any VPNs. But the ASA knows that the traffic arrived encrypted so once it has decrypted it it then uses the "tunneled" route to send it on to the internal ASA.

Otherwise it would try and use it's other default route and obviously in your setup all VPN traffic should go via the internal ASA.

Jon

View solution in original post

Jouni Forss · ‎01-10-2014

Hi Mahesh,

To my understanding a "tunneled" "route" is simply meant to tell the ASA to forward all traffic inbound from a VPN connection straight to another device.

We for example use this on an ASA Failover pair that is simply meant to serve as a VPN device. This "tunneled" default route forwards all traffic from the VPN connections to an actual Firewall device (ASA too) that handles NAT/ACL and other things.

It provides an easy way to define a separate default route for the traffic incoming from VPN connections towards internal networks since the device itself needs the normal default route for the VPN connections return traffic which are formed from the external network.

- Jouni

mahesh18 · ‎01-10-2014

Hi Jouni,

What if tunneled traffic goes to Switch instead of the ASA?

Regards'

MAhesh

Jouni Forss · ‎01-10-2014

Hi,

What do you mean?

The "route 0 0 tunneled" is meant to forward traffic from VPN to some other device that routes it again to the correct destination.

I imagine you mean that your route points to a L3 switch doing routing?

- Jouni

mahesh18 · ‎01-10-2014

Hi Jouni,

Let me dig more

will get back to you.

Regards

MAhesh

george.prica · ‎09-28-2017

Hello Guys,

we have a customer who wants just to route vpn traffic from a specific subnet to another device, not all the vpn traffic. I've twisted my brain and I could not think of something good now.

Do you have any ideas?

Thank you.

George

Jon Marshall · ‎01-10-2014

Mahesh

It used to set the default tunnel gateway for VPN traffic. So in effect it allows you to have two default routes on your ASA ie. if a packet arrives at the ASA the routing table is consulted. If there is no specific match then if there is a default route it will be used.

But you may want your VPN traffic to use a different default route than your non VPN traffic. If you add the "tunneled" option then that default route only applies to encrpyted traffic arriving on the ASA. This means you can have two default routes, one for VPN traffic only and one for non VPN traffic.

Jon

mahesh18 · ‎01-10-2014

Hi Jon & Jouni,

It has

sh run route

route outside 0.0.0.0 0.0.0.0 200.x.x.x 1

route inside 10.0.0.0 2.0.0.0 192.168.50.1 1

route inside 172.16.0.0 255.240.0.0 192.168.50.1 1

route inside 192.168.0.0 255.255.0.0 192.168.50.1 1

route inside 0.0.0.0 0.0.0.0 192.168.50.1 tunneled

I traced where route outside goes to Internet ASA---then to outside world.

route inside 192.168.50.1 -- this is Interface IP of another ASA.

If your at home connects to Company VPN then the encrypted traffic where he needs to access the company network

say subnet 172.16.0.0 will arrive encrypted and will use 192.168.50.1 which is not tunneled right?

this traffic from VPN ASA to Internal ASA will not be encrypted right?

if he need to access route which is either not 172 or 192 say then it will use tunneled to reach Internal ASA and that traffic will be encrypted right?

Regards

Mahesh

Jouni Forss · ‎01-10-2014

Hi,

According to what you tell us it seems to me that this device is also a VPN ASA only? I mean that its used for VPN purposes only while there is another ASA behind it in the internal network that does the actual firewalling (NAT/ACL/etc)?

To my understanding the VPN Client/User connected to this ASA will use the Static routes for the specific networks if the user tries to connect some destination address mentioned by those routes. If it doesnt match those static routes then it will use the "tunneled" default route. But since the gateway is the same that means traffic from the VPN connections are always forwarded to the device 192.168.50.1

The traffic from the VPN ASA to the Internal ASA wont be encrypted.

The "tunneled" parameter doesnt mean that the traffic is encrypted. It just refers to the fact the "route" command used is used to forward traffic incoming from a VPN connection.

- Jouni

mahesh18 · ‎01-10-2014

Hi Jouni,

Yes it is VPN asa only.

You understood correctly.

Thanks for explaining me.

Seems i can not do my job without your help!

Regards

Mahesh

Jon Marshall · ‎01-10-2014

Mahesh

Here you have a default route for non VPN traffic ie. general internet access and this points to next hop reachable via the outside interface. But you want to send any VPN traffic to a different destination ie. 192.168.50.1 which is another ASA.

The way i understand this is that if you connect via VPN to the ASA then once the traffic is decrypted it will use the "tunneled" route to send traffic to the internal ASA.

As far as i know all VPN traffic is decrypted on the first ASA ie. no traffic is sent on as encrypted traffic and you can check this because i suspect your internal ASA is not terminating any VPNs. But the ASA knows that the traffic arrived encrypted so once it has decrypted it it then uses the "tunneled" route to send it on to the internal ASA.

Otherwise it would try and use it's other default route and obviously in your setup all VPN traffic should go via the internal ASA.

Jon

mahesh18 · ‎01-10-2014

Many thanks Jon for explaining me in clear and precise manner.

Best Regards

MAhesh

jmaxwellUSAF · ‎01-24-2023

"If you add the "tunneled" option then that default route only applies to encrypted traffic arriving on the ASA."

...arriving only externally, or also internally going external?