mysterious unwanted route added by VPN software client
We have an Internet-facing VPN concentrator 3005 outside our ASA firewall and vpn software client installed on laptops in a Windows 2000 domain with Active Directory. No split-tunneling is allowed.
I once installed the VPN client on a new laptop in the corportate network, and to test it, I connected the laptop to VPN concentrator. When I tried to ping our primary DC, I got timeouts. But I could ping other DCs and any other corporate devices.
Upon examing the "route print" output, I found that the VPN client added a few routes, including a route for the primary DC out the LAN interface to the LAN default gateway. No wonder I couldn't ping it -- the ICMP packes got dropped because they were directed to the local LAN. I could manually remove the route and connections to the PDC would be fine.
What bothers me is that I can't find a place in the concentrator config or VPN client to remove the unwanted route. It is not in the static routes on the concentrator. I even searched the concentrator's CONFIG file but only found one instance of PDC IP address, which is the DNS server address. I also tried no firewall for this VPN group.
Re: mysterious unwanted route added by VPN software client
I think that the client will get a route for the subnet that it recieves an address in and that if the ASA is not setup to hand down a specific subnet, the client just uses a classful subnet. You can apply a specific mask to the client pool on the ASA. The commands you may need to enter are as follows:
clear crypto isakmp sa
clear crypto ipsec sa
then you want to remove the address pool from the VPN Group
no vpngroup address pool
then you can remove the old pool
no ip local pool
then add the new pool
ip local pool mask
then apply the new pool to the vpngroup
vpngroup address pool
Keep in mind that if the same old pool is applied to more than one VPN group then you need to remove the old pool from all groups where it is applied, prior to removing the pool.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...