Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Default gateway for IPSec Remote Access VPN

Hi,

I have a question regarding IPSec VPN gateway. When my client uses a  cisco vpn client, I always get the first IP of my address pool as the  default gateway. For example, If I assign the client IP in range  192.168.0.0/24, all the clients will get the default gateway of  192.168.0.1. Can we change this behavior to a partucular IP?

5 REPLIES

Default gateway for IPSec Remote Access VPN

Why would you want to change the default gateway to another IP?  Let me ask you this - if you connect to the VPN and recevie a /32 IP of 192.168.1.1.  This IP is assigned to a virtual adapter on the client machine.  If you change the DG to another IP - where does that IP exist? How does the VPN client know which interface/virtual adapter to encrypt and send the VPN traffic thru to get to the remote end??

This is normal for the VPN client.

New Member

Default gateway for IPSec Remote Access VPN

Yes, I understand. The problem is my ASA/VPN terminator is not using that IP address and its already assigned to another device. The reason I want to change the IP is because I want to change it to use ASA IP address.

Bronze

Default gateway for IPSec Remote Access VPN

I agree to Andrew's explanation. You can't change the vpn client gw to ASA ip not just because you want to change it as you said above.

Logically, what you are saying is not even making sense. The traffic is initiated from your VPN adapter which is a non-routable address on the internet. Moreover, to go encrypted, it has to be encapsulated to your client's public ip address which will then reach the local ISP gw, then to ISP and then taking other hops it would reach your ASA. By asking for your ASA's IP address as the gw for vpn client, you are somewhat asking to have some IP address on the internet to be your local VPN machine's IP address. Hence, this makes no sense.

bdw, by your statement,"already assigned to another device" are you saying that the 192.168.0.1 is already assigned to some other vpn device? if that's so that it does not matter, because the gw address that you see on vpn client machine is specific to that machine only.

Hope the other side of the explanation makes sense to you and clarifies your doubt.

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
New Member

Default gateway for IPSec Remote Access VPN

Hi Mopaul,

you are correct. Somehow I focused on the dummy gateway that Cisco VPN client put. But I remember that the traffic to be put on the vpn interface is defined on the access-list on the tunnel property. Thanks for the discussion guys.

Bronze

Default gateway for IPSec Remote Access VPN

Hi Prima,

Glad i could answer your query and provide some clarification on the thoughts here.

Kindly rate all useful posts/comments and mark them as answered while ending the discussions. This helps other users on forum with similar queries.

Cheers...!!!

Regards,

mopaul

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
3753
Views
0
Helpful
5
Replies