[c-nsp] ASA 8.3 full-tunnel VPN paradox...
Ryan West
rwest at zyedge.com
Wed Jun 29 16:45:48 EDT 2011
On Wed, Jun 29, 2011 at 16:30:13, Jeff Kell wrote:
> Subject: [c-nsp] ASA 8.3 full-tunnel VPN paradox...
>
> I'm working on replacing an old PIX VPN setup with a new ASA, and
> having a bear of a time with a full tunnel setup.
>
> The PIX (old 6.x software) has setups for both split-tunnel and
> full-tunnel profiles.
> It is *not* the outbound gateway for internet-destined traffic.
>
> Our internet traffic goes from the border to a pair of active/active
> ASAs along with our perimeter protection, IPS, and other assorted
> goodies, so that is the desired path for the full-tunnel traffic.
> Since the active/active pair can't do VPN, another ASA is serving that
> purpose (inside the other ASAs), also connected to our core.
>
> On the PIX, there is a default route on both the "outside" and "inside"
> interfaces thusly:
>
> > utc-pix# sho route | i 0.0.0.0
> > outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.246 1 OTHER static
> > inside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.20 10 OTHER static
>
> Anything connecting to the VPN (or otherwise hitting the outside
> interface) follows the outside route.
>
> Any VPN-originated traffic on the full tunnel follows the inside route.
>
> The ASA is not behaving this way... it wants to "always" follow the
> outside route for the VPN-originated full-tunnel traffic if I include
> both routes (with unequal weights, as it doesn't allow them to be the same).
>
> If I define an explicit outside route to where I VPN from, and remove
> the default outside route, it works perfectly.
>
> Is there something obvious I'm missing here to make it behave like the
> PIX does?
>
Try the keyword 'tunneled' at the end of the route statement.
-ryan
More information about the cisco-nsp
mailing list