06-02-2014 07:44 PM - edited 02-21-2020 07:40 PM
Greetings,
I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
OR
Am I forced to put the ASA behind the filtering device somehow?
06-02-2014 08:23 PM
Hi Jim,
You can use tunnel default route for vpn traffic:
ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
configure mode commands/options:
<1-255> Distance metric for this route, default is 1
track Install route depending on tracked item
tunneled Enable the default tunnel gateway option, metric is set to 255
This route is applicable for only vpn traffic.
HTH,
Shetty
04-19-2016 04:41 PM
I know this is an old post, but I am curious to know if the route with tunneled keyword is the right fix to send all internet traffic out from inside interface of VPN to an attached layer 3 device that knows internet routes. I tried it today but didn't work. VPN users can reach all internal, dmz resources but not Internet. The trace dies at vpn and packet-tracer drops at WEBVPN-SVC.
-Josh
04-19-2016 06:17 PM
Hi Joshuskarki,
Following doc explains the use of tunnel-default route:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html
All it does it forward the packets received from tunnel to gateway mentioned in tunnel-default route. If the traffic fails , then troubleshoot it like any other traffic on upstream devices.
Key thing would to make sure upstream device(before ISP) knows routing info of VPN pool, so return traffic can be forwarded back onto ASA.
Do capture on ASA internal interface to check if its forwarding the request packets and receiving reply or not.
BR
Santhosh
04-19-2016 09:39 PM
Thanks for your quick reply, Santosh!
If I know any public addresses eg, 4.2.2.2 or 8.8.8.8 and configure static routes pointing them to next-hop towards inside interface, it works just fine. VPN users can ping these addresses. That confirms the NAT, return routes from internet router to VPN address pool is all good. It is just the route with tunneled as the link explained doesn't seem to be working in my environment. I am sure I am missing something obvious somewhere in the config.
My setup has few other groups with split-tunneling on and that have been working fine.
The one (new group) I am currently testing is tunnel-all traffic with VPN always-on. Always-on seems to be working and I can reach to internal resources also but the traffic isn't going out internet :(
-Josh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: