Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Client Default Gateway is blank

Hello,

When I log in thru ASA Remote Access VPN via VPN client, I hvae a new IP assigned but the default gateway is blank. Why is it so ?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN Client Default Gateway is blank

Sorry - been busy with something else.

OK - can you see from the ASA the packet being encrypted and de-crypted?

Does the ASA have the relvan routes in ti?

Does the ASA have the correct IP subnets in the VPN split tunnel list?

21 REPLIES

Re: VPN Client Default Gateway is blank

That is correct - this is because the traffic is passed thru the local encryption client stack.

This is OK.

New Member

Re: VPN Client Default Gateway is blank

Thanks.

I am able to log into the main network via Remote Access VPN Client. But I am not able to initiate connection to other connected networks from the main network. What do I need to enable access to other networks.

Re: VPN Client Default Gateway is blank

Those IP subnet's need to be in the cryption domain list configured in the VPN concentrator, I presume you have slipt tunneling configured?

New Member

Re: VPN Client Default Gateway is blank

Yes. I have configured split tunnel on ASA and the problem network has been added to the 'Split Network Tunnel List' via ASDM.

What do you mean by crypto domain list.

Thanks.

Re: VPN Client Default Gateway is blank

Encryption domain = split tunnel networks, the IP subnets you want the client to send/recevie encrypted traffic for.

If you have the IP subnets in the split-tunnel list and you still cannot reach them, then check your routing. REMEMBER the remote ip subnets MUST know how to reach the IP addresses of the remote VPN clients - basic routing.

New Member

Re: VPN Client Default Gateway is blank

The routing part is Ok. Because I logged into another host on the main network (without VPN) and am able to reach the other network.

But thru the VPN assigned IP on the main network I cannot reach the other network.

There is another firewall before the other network and the logs for port 3389 are as follows which shows connection time out.

Aug 27 2009 15:32:31: %FWSM-6-302013: Built inbound TCP connection 145686386116986871 for OUTSIDE:192.168.169.199/51517 (192.168.169.199/51517) to DMZ2:192.168.170.60/3389 (192.168.170.60/3389)

Aug 27 2009 15:32:52: %FWSM-6-302014: Teardown TCP connection 145686386116986871 for OUTSIDE:192.168.169.199/51517 to DMZ2:192.168.170.60/3389 duration 0:00:20 bytes 264 Conn-timeout

Re: VPN Client Default Gateway is blank

Being able to connect from a machine NOT on the VPN to the remote network does NOT prove the routing is OK, as you are not on the VPN.

Check that the remote network knows how to route to the IP subnet used for the RVPN.

From the above outputs, you need to check your NAT/Routes/ACL's that permit inside to DMZ2 traffic.

New Member

Re: VPN Client Default Gateway is blank

The VPN assigned IP is 192.168.169.199/24. I have allowed ANY on the outside ACL of the FWSM.

Brief Topology:

Host -> CAT65 -> FWSM -> Target Host

NAT is configured on CAT65 but is not applicable to the Host VLAN. Secondly, there is no NAT configured on FWSM.

I believe same routing should be applicable since the Host IP from which I can reach the destination is 192.168.169.10/24, and the VPN IP assigned is 192.168.169.199/24, so same routes should apply (No host based routing).

Thanks.

Re: VPN Client Default Gateway is blank

How is that possible - to have an IP address assigned 192.168.169.199/24 which is 192.168.169.1 <> 192.168.169.254 and you have not split it from the internal network.

I suggest you create a sperate pool of addresses, for the Remote VPN.

New Member

Re: VPN Client Default Gateway is blank

The pool is already defined. 192.168.169.199 is part of the pool which is automatically assigned upon VPN connection. There is no conflict between the pool allocated and any other host on the same network.

The config for the pool is

ip local pool mypool 192.168.169.155-192.168.169.225 mask 255.255.255.0

tunnel-group cisco type ipsec-ra

tunnel-group cisco general-attributes

address-pool mypool

default-group-policy cisco

Re: VPN Client Default Gateway is blank

Sorry but what I am finding hard to belive is that the FWSM is allowing you to configure:-

ip local pool mypool 192.168.169.155-192.168.169.225 mask 255.255.255.0

and it does not overlap with any other interfaces?

New Member

Re: VPN Client Default Gateway is blank

ip local pool has been configured on the ASA and FWSM. Below is the topology with ASA on which the VPN terminates

ASA (VPN) -> Host -> CAT65 -> FWSM -> Target Host

Thanks.

New Member

Re: VPN Client Default Gateway is blank

Hi Andrew,

Any clues on this.

I did the capture on FWSM. The PO packets are forwarded to the end host and there is reply as well i.e. to icmp messages. What could be causing the timeouts on FWSM if response is being received by the end host.

I could only think of the VPN configuration on ASA causing this.

Thanks.

Re: VPN Client Default Gateway is blank

Sorry - been busy with something else.

OK - can you see from the ASA the packet being encrypted and de-crypted?

Does the ASA have the relvan routes in ti?

Does the ASA have the correct IP subnets in the VPN split tunnel list?

New Member

Re: VPN Client Default Gateway is blank

Voila!!!

Worked. It was the route on the ASA.

But tell me one thing, how does the routing table in ASA(VPN) affect the connected host. Since the host is already connected with CAT65K as the default gateway and CAT65's routing table should only be relevant.

Re: VPN Client Default Gateway is blank

Well the ASA still needs to route the traffic to and from the host. If the ASA has a default route point out to the internet, and no internal routes - it does not matter of the cat has routes or not, even with directly connected vlans.

New Member

Re: VPN Client Default Gateway is blank

Hi Andrew,

More on this....

If I were to add one more ASA in the front so that the topology now becomes

ASA -> ASA -> Host -> CAT65K -> FWSM -> Target Host

where should the VPN be ideally terminated. Should it be the first ASA or the second.

Re: VPN Client Default Gateway is blank

I personally terminate VPN's on ASA's that already sit behind another firewall.

Protects your VPN device from attempted DoS attacks.

New Member

Re: VPN Client Default Gateway is blank

In my case the second ASA has AIP-SSM module.

Should I pass the VPN traffic to the IPS module ? If so then how should it be defined in the class-map for IPS traffic.

Re: VPN Client Default Gateway is blank

Why would you want to pass the VPN traffic thru an IPS - you know the VPN traffic is OK, as it's from configured peers?

New Member

Re: VPN Client Default Gateway is blank

Ok. If I were to avoid it how could it done. Because the traffic coming from internet onto the same segment in currently being scanned.

And the VPN traffic for remote management is also connected to the same segment. How can I exempt the VPN traffic from being sent to AIP-SSM.

Secondly, is it safe from security perspective to allow internet access while the host is connected over the VPN (split tunnel) to corporate network.

2938
Views
0
Helpful
21
Replies
CreatePlease to create content