I have an ASA 5505 that has been configured for dual ISP failover and remote access vpn. The remote clients are able to connect to the ASA and tunnel gets established but they are unable to ping anything in the inside network or go to the Internet through the ASA.
The remote clients are getting a default gateway that does not exist on the ASA anywhere. I want the defaut gateway to be inside interface of the ASA for the remote clients.
Here are the IP config of the remote client.
IP Address: 10.31.111.10
Subnet Mask: 255.255.255.0
Gateway: 10.31.111.1 <-------------------- this does not exist anywhere on the ASA
The Inside interface on the ASA is the default gateway of the Internal network. I have configured access-lists to allow VPN space to talk to the Internal network and configured the two networks as NAT Exampt.
What type of VPN are you using? Normally on a modern SSL VPN (AnyConnect client), there is not a default gateway handed out to the client. Instead, the inside routes of the ASA are passed to the client (consistent with the tunneling policy configured - all networks or those specified) and installed in the client's routing table. The gateway used by the ASA will also be used by the remote access VPN client.
You normally don't need an access-list entry because the VPN users generally bypass the pre-configured access-list.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...