Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA Remote Access VPN Default Route

Is it possible for remote access VPN sessions to have a different default route than the ASA? My ASA default route points to the Internet.  I want my remote access VPN sessions to have a default route that points to an internal system.

5 REPLIES

Re: ASA Remote Access VPN Default Route

Hi,

I'm not sure I understand.

It is not a requirement to have a deafult route pointing to the ASA as long as there's a route for the specific destinations that you want to reach through the tunnel.

Please explain.

Federico.

New Member

Re: ASA Remote Access VPN Default Route

Currently my VPN sessions terminate on my VPN firewall.  Internet related activity hair pins at the VPN firewall outside interface.  My internal users go to the Internet via my Internet firewall.  I have monitoring and filtering in place for my Internet firewall.  I would like VPN session's Internet related traffic to pass through my Internet firewall.  Traffic flow would look something like:  VPN sessions would terminate and decrypt at the outside interface of my VPN firewall, VPN Internet traffic would leave the VPN firewall out the inside interface, go to the inside interface of the Internet firewall then out to the Internet through the outside interface of the Internet firewall.

I should also say, this was possible with the VPN concentrators.  The set up I describe above was in place when we had 3030s.

Does this help?

Re: ASA Remote Access VPN Default Route

Should work.

VPN client traffic can terminate on the VPN server, exit out the inside interface and get out to the Internet via the Firewall.

So... the VPN server is now an ASA and the Internet Firewall what device is it?

In order to make it work you need to change the hairpin rule for Internet traffic to allow VPN clients to exit out the inside interface.

Federico.

Bronze

Re: ASA Remote Access VPN Default Route

Hi,

You could use a tunneled route to route all the VPN traffic to the Internet firewall.

route inside 0 0 "internet firewall IP address " tunneled.

This would send all the VPN traffic being received by the ASA to the Internet firewall where you could do the filtering and stuff.

Cheers,

Nash.

New Member

Re: ASA Remote Access VPN Default Route

Thanks, Avinash!   I had the same routing need and your solution works like a charm.

2431
Views
10
Helpful
5
Replies
CreatePlease to create content