OK .. crazy question here. I have a VPN client either on the older concentrator using IPSec or the newer ASA but both profiles are set to tunnel everything. How does traffic flow if I go to say www.google.com. Does it flow from the client to the concentrator then inside to follow my internet rules there or does it flow from the client to the concentrator then follow the default rules for the concentrator itself?
I guess the answer to this would depend on your design and whether or not you are using NAT hairpinning. I seen seen both where the ASA will hairpin the clients internet traffic back out of the OUTSIDE interface and I have also seen a design where there was a default route on the ASA with the "tunneled" argument which instructs the ASA to forward VPN client traffic to a next hop IP address where the clients internet traffic can then be proxied.
I guess I fall into the hairpinning catagory. Playing with different traceroutes and pings I am going back out the internet via the default route for the concentrator and ASA. If I traceroute from my client back to a system on the inside there are four hops and they make sense. If I traceroute from the client to say google then I have about 16 hops and it does complete. I am now trying to figure out why HTTP to say google does not work. I am thinking that may be somethign up with my cloud firewall provider. That is what started this whole thing in the first place.
I was just wodering if there was a way to have the default route for just my Address pool point back towards the inside. I guess that would be a NAT to a new VLAN on the inside?
This would again depend on your design. If you have more than one exit point to the internet, you can send your VPN client traffic to the internal network by using the "tunneled" keyword at the end of your static route statement on the ASA and let your internal network perform the default routing to a different exit point for internet access Just remember that your internal network needs to have a route back to your VPN client's subnet for that to work.
If you only have one point out of your network to the internet, then it really doesn't make any sense to send your VPN client's internet traffic to your internal network. NAT hairpinning would be the solution for that design or allow your clients to use split tunneling.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :