cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7382
Views
0
Helpful
6
Replies

Routing to SSL VPN client IP pool

newtwork1
Level 1
Level 1

Final goal:

I’m creating SSL VPN access through an ASA to 3 server resources a couple networks away from the VPN network ingress. All servers are located on the same subnet.

Current testing setup:

I have the ASA configured for SSL VPN access through username and certs. That’s working I can connect via the ASA through the SSL VPN and remote desktop to the a pc I have connected to the inside interface with no problem

(computer - outside ASA inside – computer).

I removed the computer from the inside interface and connected a 2811 on that interface and connected the computer to other interface on the new router

(computer - outside ASA inside – fa0/1 2811 fa0/0 – computer).

I’m only using static routes through this network. On the 2811 connected to the inside ASA interface I added the static route of my SSL Client Pool addresses. I did not add the route to my ASA as they are directly connected.

The routing I’ve configured on the ASA is

route inside 0.0.0.0 0.0.0.0 next hop to inside interface (2811 fa0/1 IP)

-I cannot ping the SSL VPN Client IP from the ASA command line

-When I do a sh route on the ASA I can see the ASA dynamically creates a route for the address of the connected SSL client to the outside interfaces next hop.

-And I obviously am unable to ping the SSL VPN client IP from the 2811

?? Even though the ASA has the route to my SSL client, Do I need to add a special routing configuration to the ASA to route from the inside interface to the SSL VPN POOL network?

?? Do I need to create an interface that acts as default gateway for the SSL VPN pool?

?? Anyone have a link for a document on routing on the ASA and especially one that focuses on routing to and from your SSL VPN Client pool?

On a side note I noticed when doing an ipconfig on my connected SSL client the default gateway for the address pulled from the pool was just next IP up from the IP it pulled. Why does the pool not have a default gateway setting or did I miss it? Will each client I connect have a different default gateway IP or has the ASA dynamically picked that IP as the default gateway for all clients that will connect?

I appreciate the help

Newt

3 Accepted Solutions

Accepted Solutions

Vikas Saxena
Cisco Employee
Cisco Employee

I’m only using static routes through this network. On the 2811 connected to the inside ASA interface I added the static route of my SSL Client Pool addresses. I did not add the route to my ASA as they are directly connected.

The routing I’ve configured on the ASA is

route inside 0.0.0.0 0.0.0.0 next hop to inside interface (2811 fa0/1 IP)

-I cannot ping the SSL VPN Client IP from the ASA command line

-When I do a sh route on the ASA I can see the ASA dynamically creates a route for the address of the connected SSL client to the outside interfaces next hop.

-And I obviously am unable to ping the SSL VPN client IP from the 2811

the route you have configured 'route inside 0.0.0.0 0.0.0.0 next hop to inside interface (2811 fa0/1 IP)' on the ASA is not correct.

This is a syntax of configuring a default route on the ASA. I suppose you wanted to configure a Tunnel Default Route, the syntax is:

route inside 0.0.0.0 0.0.0.0 next hop to inside interface (2811 fa0/1 IP) tunnel

After correcting the route, please try to ping the connected client's ip address as 'ping inside '.

I think you already have NAT bypass configured on the ASA.

If that does not work then please include the configuration of the router and the ASA.

On a side note I noticed when doing an ipconfig on my connected SSL client the default gateway for the address pulled from the pool was just next IP up from the IP it pulled. Why does the pool not have a default gateway setting or did I miss it? Will each client I connect have a different default gateway IP or has the ASA dynamically picked that IP as the default gateway for all clients that will connect?

The default gateway configuration has local significance only. Till Windows XP the IPSEC VPN clients used to have its own ip address as the default gateway. This was obviously a code cheat which Vista and Windows 7 refused to accept, the newer VPN Client (including Anyconnect) then just picks any IP address in the same range and assigns it to the virtual adapter to keep the TCP/IP stack of the PC happy. When the packet needs to go to the tunnel the OS routes it to the VA, after encryption the VA encapsulates the packet with a new IP header with source IP picked from the physical interface and ASA public IP as the destination and OS then routes it again based on the new header.

View solution in original post

Hey,

The route route inside 0.0.0.0 0.0.0.0 next hop to inside interface (2811 fa0/1 IP) tunnel is called tunneled default gateway. If this route is there then all the traffic from the SSL VPN client will straight away go to 2811. This actually depends upon your requirement.

If ASA has all the specific routes to go to the subnets behind the router then you do not need the tunneled default route. The ASA will route the traffic to the next hop based on the routes it has.

With the route: ip route "net for SSL Pool" "MASK" "ASA inside interface IP" added to the 2811 if I ping from the 2811 to the connected SSL VPN client IP it should work??

Yes, you need that route in the router.

If the current requirement is not internet access out the internet connection to the ASA then the NAT configuration is not required?

Yes, it is not required as by default ASA has 'no nat control'.

Do you know of any recommended reading to understand how ASA routing is different than an IOS router?

It is actually not, the basics of routing are similar in IOS and ASA code. There are some rules which need to be followed since ASA is a FW.

The tunneled default route is a special route carried over from the VPN Concentrator 3000 series. It is there in case when ASA does not need to know all the routes in the enterprise and there is a special router handling the routing. This route in that case will act as a default route for the traffic coming out of VPN tunnels (only).

Could you post the configuration of ASA and the router in case if it is still not working.

View solution in original post

Yes, that's right. You should have no ip verify reverse-path interface inside

for the inside interface. That is true only when you are configuring tunneled default route.

View solution in original post

6 Replies 6

Vikas Saxena
Cisco Employee
Cisco Employee

I’m only using static routes through this network. On the 2811 connected to the inside ASA interface I added the static route of my SSL Client Pool addresses. I did not add the route to my ASA as they are directly connected.

The routing I’ve configured on the ASA is

route inside 0.0.0.0 0.0.0.0 next hop to inside interface (2811 fa0/1 IP)

-I cannot ping the SSL VPN Client IP from the ASA command line

-When I do a sh route on the ASA I can see the ASA dynamically creates a route for the address of the connected SSL client to the outside interfaces next hop.

-And I obviously am unable to ping the SSL VPN client IP from the 2811

the route you have configured 'route inside 0.0.0.0 0.0.0.0 next hop to inside interface (2811 fa0/1 IP)' on the ASA is not correct.

This is a syntax of configuring a default route on the ASA. I suppose you wanted to configure a Tunnel Default Route, the syntax is:

route inside 0.0.0.0 0.0.0.0 next hop to inside interface (2811 fa0/1 IP) tunnel

After correcting the route, please try to ping the connected client's ip address as 'ping inside '.

I think you already have NAT bypass configured on the ASA.

If that does not work then please include the configuration of the router and the ASA.

On a side note I noticed when doing an ipconfig on my connected SSL client the default gateway for the address pulled from the pool was just next IP up from the IP it pulled. Why does the pool not have a default gateway setting or did I miss it? Will each client I connect have a different default gateway IP or has the ASA dynamically picked that IP as the default gateway for all clients that will connect?

The default gateway configuration has local significance only. Till Windows XP the IPSEC VPN clients used to have its own ip address as the default gateway. This was obviously a code cheat which Vista and Windows 7 refused to accept, the newer VPN Client (including Anyconnect) then just picks any IP address in the same range and assigns it to the virtual adapter to keep the TCP/IP stack of the PC happy. When the packet needs to go to the tunnel the OS routes it to the VA, after encryption the VA encapsulates the packet with a new IP header with source IP picked from the physical interface and ASA public IP as the destination and OS then routes it again based on the new header.

Vikas,

Thanks for the response

I do not have NAT enabled in this configuration. The internet connection into the ASA will only be used for VPN client access to the servers they will not be able to access the anything except the servers (no internet while connected to the VPN).

I'm sure after this is up and running for a week the requirements will change to require internet access. That's just how things work here...

If the current requirement is not internet access out the internet connection to the ASA then the NAT configuration is not required?

If I add the

route inside 0.0.0.0 0.0.0.0 next hop to inside interface (2811 fa0/1 IP) tunnel

and my configuration is

computer - outside ASA inside – fa0/1 2811 fa0/0 – computer

With the route: ip route "net for SSL Pool" "MASK" "ASA inside interface IP" added to the 2811 if I ping from the 2811 to the connected SSL VPN client IP it should work??

Do you know of any recommended reading to understand how ASA routing is different than an IOS router?

Newt

Hey,

The route route inside 0.0.0.0 0.0.0.0 next hop to inside interface (2811 fa0/1 IP) tunnel is called tunneled default gateway. If this route is there then all the traffic from the SSL VPN client will straight away go to 2811. This actually depends upon your requirement.

If ASA has all the specific routes to go to the subnets behind the router then you do not need the tunneled default route. The ASA will route the traffic to the next hop based on the routes it has.

With the route: ip route "net for SSL Pool" "MASK" "ASA inside interface IP" added to the 2811 if I ping from the 2811 to the connected SSL VPN client IP it should work??

Yes, you need that route in the router.

If the current requirement is not internet access out the internet connection to the ASA then the NAT configuration is not required?

Yes, it is not required as by default ASA has 'no nat control'.

Do you know of any recommended reading to understand how ASA routing is different than an IOS router?

It is actually not, the basics of routing are similar in IOS and ASA code. There are some rules which need to be followed since ASA is a FW.

The tunneled default route is a special route carried over from the VPN Concentrator 3000 series. It is there in case when ASA does not need to know all the routes in the enterprise and there is a special router handling the routing. This route in that case will act as a default route for the traffic coming out of VPN tunnels (only).

Could you post the configuration of ASA and the router in case if it is still not working.

Vikas,

Once again thanks for the response. I'll plug this in on Monday and get back to the post. I appreciate the support!

Newt

Vikas,

I haven't had the chance to get this done, but I'll do it on Monday.

I thought of another question that arose after reading the section below in Cisco Security Appliance Command Line Configuration

You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the security appliance that cannot be routed using learned or static routes, is sent to this route. For traffic emerging from a tunnel, this route overrides over any other configured or learned default routes.

The following restrictions apply to default routes with the tunneled option:

Do not enable unicast RPF (ip verify reverse-path) on the egress interface of tunneled route. Enabling uRPF on the egress interface of a tunneled route causes the session to fail.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1047894

On my ASA I have

ip verify reverse-path interface inside

ip verify reverse-path interface outside

from what I've read one of these has to be wrong

In the quote when they refer to "Do not enable unicast RPF (ip verify reverse-path) on the egress interface of tunneled route."

are they refer to the interface the tunneled route is direct to ( in my case route inside 0.0.0.0 0.0.0.0 next hop to inside interface (2811 fa0/1 IP) tunnel)

Which would be the inside interface?

So I should no ip verify reverse-path interface inside

Right?

Newt

Yes, that's right. You should have no ip verify reverse-path interface inside

for the inside interface. That is true only when you are configuring tunneled default route.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: