Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

routing through VPN concentrator / ASA

OK .. crazy question here. I have a  VPN client either on the older concentrator using IPSec or the newer ASA but both profiles are set to tunnel everything. How does traffic flow if I go to say www.google.com. Does it flow from the client to the concentrator then inside to follow my internet rules there or does it flow from the client to the concentrator then follow the default rules for the concentrator itself?

Brent

3 REPLIES
New Member

Re: routing through VPN concentrator / ASA

I guess the answer to this would depend on your design and whether or not you are using NAT hairpinning.  I seen seen both where the ASA will hairpin the clients internet traffic back out of the OUTSIDE interface and I have also seen a design where there was a default route on the ASA with the "tunneled" argument which instructs the ASA to forward VPN client traffic to a next hop IP address where the clients internet traffic can then be proxied.

New Member

Re: routing through VPN concentrator / ASA

Erick,

I guess I fall into the hairpinning catagory. Playing with different traceroutes and pings I am going back out the internet via the default route for the concentrator and ASA. If I traceroute from my client back to a system on the inside there are four hops and they make sense. If I traceroute from the client to say google then I have about 16 hops and it does complete. I am now trying to figure out why HTTP to say google does not work. I am thinking that may be somethign up with my cloud firewall provider. That is what started this whole thing in the first place.

I was just wodering if there was a way to have the default route for just my Address pool point back towards the inside. I guess that would be a NAT to a new VLAN on the inside?

Brent

New Member

Re: routing through VPN concentrator / ASA

Hi bberry,

This would again depend on your design.  If you have more than one exit point to the internet, you can send your VPN client traffic to the internal network by using the "tunneled" keyword at the end of your static route statement on the ASA and let your internal network perform the default routing to a different exit point for internet access  Just remember that your internal network needs to have a route back to your VPN client's subnet for that to work.

If you only have one point out of your network to the internet, then it really doesn't make any sense to send your VPN client's internet traffic to your internal network.  NAT hairpinning would be the solution for that design or allow your clients to use split tunneling.

256
Views
0
Helpful
3
Replies
CreatePlease login to create content