I am replacing a 3015 concentrator with a 2801 sec-bundle router. The public interface of the concentrator sits in the 'public dmz' of our ASA. The private interface of the concentrator sits in an internal dmz on of the ASA. I currently have the 2801 connected similarly, with one interface in each dmz. The router's default gatway is out the 'public' side, and it has static routes that point to all of our internal networks through the 'private' side. This is working fine for all of our lan-to-lan tunnels.
My problem is with AnyConnect SSL clients, specifically when a remote user tries to connect to the internet. Because the router's default gateway points out the 'public' side, the remote user's internet traffic is going out the 'public' side of the router and hitting the public dmz interface of our ASA. Even if I allow that traffic out, the ASA will try to route the return traffic to the remote users via the internal interface, because of the subnet that I'm terminating the remote clients on. With the concentrator and the IPSec client, there is a 'tunnel default gatway' option that lets me point all the remote user traffic at the internal side of the ASA. Unfortunately, that option does not appear to exist for the SSL client.
One option I am considering is eliminating one leg of the router. If I force all traffic in/out through one side, then I won't have this problem. Another option is to setup a new subnet for the remote access clients that is always routed throught the public interface. Alternatively, I could just allow split tunneling by the clients, but I would rather not do that. Are there other options that I'm not seeing? Does anyone have a recommendation on which way to go?
If I understand, the problem is that remote clients terminate on the ASA, but they are routed to the router, which default gateway points to the DMZ of the ASA, and that's why it is not working.
Couldn't you provide the Anyconnect SSL VPN clients with Internet access without reaching the internal router? I mean, the same ASA will terminate the remote VPN client connections and provide them with Internet access via the same outside interface in which it receive the clients.
In that case, the ASA supports asymmetric routing in versions 8.2(1) and later.
This feature is commonly used in Active/Active Failover scenarios, but it supports grouping interface on the same unit to continue handling packets for which it has no session information. I believe it only works for A/A failover, but take a look:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...