Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN client Secure Routes

Hi Everyone,

When i use Full VPN tunnel on RA VPN.

On client PC if we click on

status

statistics

secure route

it shows below entries

Network     Mask

0.0.0.0       0.0.0.0

Need to know does this mean that RA VPN connection can come from any IP address and it can access any network behind the VPN ASA?

Regards

MAhesh

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

VPN client Secure Routes

Hi,

The secure routes just specifies the destination networks to which traffic is sent through your active VPN Client connection. Since you are using Full Tunnel VPN it means that ALL traffic is tunneled whatever the destination network might be. The 0.0.0.0/0 is simply meant to reference "any" destination network.

If you changed the VPN Client connections configuration to use Split Tunnel then this 0.0.0.0/0 would change to only containing the networks you mention in the Split Tunnel ACL.

The Client will only be acle to communicate with the LAN networks with the IP address thats assigned to it by the ASA or some DHCP server if you have configured the ASA in that way.

What the VPN Client can access on the LAN depends on other configurations on the ASA.

You might for example have configured NAT0 from a certain LAN network to the VPN pool network and this would already mean that this LAN network would be the only network it might potentially be able to access. Naturally if you have some NAT0 configuration that does NAT0 for all your LAN networks towards the VPN pool then its likely that the Clients can access any LAN network.

The connections which are allowed to the VPN user are usually restricted with the use of VPN Filter ACLs that can be attached to the "group-policy" configuration. This ACL would act as ACL that only applies to the VPN connections of the users that connect with some connection that uses this VPN Filter or the "group-policy" might also be attached to the LOCAL username of the VPN Client user and in that way restrict his/her access.

Then theres another way to control the VPN user traffic which I like more than the VPN Filter ACL. Atleast for L2L VPN connections.

There is a default setting on the like this

sysopt connection permit-vpn

Its a default setting and doesnt show up when you look at the CLI configuration normally

You can issue this command to see it

show run all sysopt

Though this will show other settings also.

The default setting of "sysopt connection permit-vpn" means that the interface ACL of the interface where the VPN user connects to on the ASA will be bypassed by all traffic from the VPN Client.

On the other hand if you were to change the setting to "no sysopt connection permit-vpn" then the VPN Client would no longer bypass the interface ACL and you could allow or deny traffic from the VPN Clients (to LAN networks for example) as you saw fit.

And the interface ACL I mean in the above is the interface where the VPN configuration is attached and which IP address the user connects to with the VPN Client. This would be the external interface which is typically called "outside" if you are using the default "nameif"

- Jouni

2 REPLIES
Super Bronze

VPN client Secure Routes

Hi,

The secure routes just specifies the destination networks to which traffic is sent through your active VPN Client connection. Since you are using Full Tunnel VPN it means that ALL traffic is tunneled whatever the destination network might be. The 0.0.0.0/0 is simply meant to reference "any" destination network.

If you changed the VPN Client connections configuration to use Split Tunnel then this 0.0.0.0/0 would change to only containing the networks you mention in the Split Tunnel ACL.

The Client will only be acle to communicate with the LAN networks with the IP address thats assigned to it by the ASA or some DHCP server if you have configured the ASA in that way.

What the VPN Client can access on the LAN depends on other configurations on the ASA.

You might for example have configured NAT0 from a certain LAN network to the VPN pool network and this would already mean that this LAN network would be the only network it might potentially be able to access. Naturally if you have some NAT0 configuration that does NAT0 for all your LAN networks towards the VPN pool then its likely that the Clients can access any LAN network.

The connections which are allowed to the VPN user are usually restricted with the use of VPN Filter ACLs that can be attached to the "group-policy" configuration. This ACL would act as ACL that only applies to the VPN connections of the users that connect with some connection that uses this VPN Filter or the "group-policy" might also be attached to the LOCAL username of the VPN Client user and in that way restrict his/her access.

Then theres another way to control the VPN user traffic which I like more than the VPN Filter ACL. Atleast for L2L VPN connections.

There is a default setting on the like this

sysopt connection permit-vpn

Its a default setting and doesnt show up when you look at the CLI configuration normally

You can issue this command to see it

show run all sysopt

Though this will show other settings also.

The default setting of "sysopt connection permit-vpn" means that the interface ACL of the interface where the VPN user connects to on the ASA will be bypassed by all traffic from the VPN Client.

On the other hand if you were to change the setting to "no sysopt connection permit-vpn" then the VPN Client would no longer bypass the interface ACL and you could allow or deny traffic from the VPN Clients (to LAN networks for example) as you saw fit.

And the interface ACL I mean in the above is the interface where the VPN configuration is attached and which IP address the user connects to with the VPN Client. This would be the external interface which is typically called "outside" if you are using the default "nameif"

- Jouni

New Member

VPN client Secure Routes

Hi Jouni,

I will go through this post slowly slowly in coming days i will be studying about L2 VPN.

Best regards

Mahesh

520
Views
0
Helpful
2
Replies