Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA VPN Routing - follow up to another thead

Status
Not open for further replies.
PKTLOSS

PKTLOSS

Technical User
Mar 7, 2008
1
US
This is a follow up to thread557-1362337

The problem the original poster mention was they had a default route set on the ASA through the outside interface, but when they tried to use the Web VPN portal, they couldn't reach any of there internal servers and received a no route to host error message.

On the Cisco ASA's you have the system default route, which most network folks would have set up for any device before. This is what is going to get your packets back out to end users on another ISP.

There is also the 'tunneled' default route, which is used for any traffic requested via the Web VPN link translating proxy function, or from the DTLS/TLS/IPSEC full IP layer VPN sessions.

For Example. Lets say the 'outside' interface is the 10.0.0.0/255.255.255.0 (24) network, and 'inside' is the 192.168.0.0/255.255.255.0 (24) network.

Your static routing would look like this:

route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
route inside 0.0.0.0 0.0.0.0 192.168.0.254 1 tunneled

With .254 being the next hop routers on both networks. The key is the 'tunneled' at the end of the default route that will lead to your internal infrastructure network.

-James
 
Sort by date Sort by votes
Good info, thanks. I responded to that thread thinking it was a router...lol

Burt
 
Upvote 0 Downvote
Actually, that command is used if you desire to route the encrypted traffic somewhere other than your default gateway.

Cisco ASA 5500 Series Solution
Users can enter static routes in the same format as Cisco PIX® to configure routes. Users will have the option to configure two default gateways, one with a "tunneled" option and one without. All traffic that arrives at the appliance and cannot be routed using learned routes or static routes will be routed through default gateways. If the traffic was encrypted when it initially arrived at the appliance, it will be routed through Default Tunnel Gateway (DTGW); otherwise, it will be routed through Default Gateway (DGW). A set of default gateways can be installed for each virtual context.
The IP routing subsystem routes data packets first using learned routes, then static routes, then the default gateway. If a default gateway is not configured, packets that cannot be routed to another host will be dropped. Also, a tunnel default gateway is specified, which is a separate default gateway for tunneled traffic only. A switch to let the default gateways learned through routing protocols override the configured default gateways is provided through the usage of floating metric. If a static route needs to be overridden by a route found by a routing protocol, it is specified with a maximum possible metric. In that case, when a route is found by Routing Information Protocol (RIP) or Open Shortest Path First (OSPF), it overrides the statically configured route.
Modification to existing CLI command when using Cisco ASA:
route <if_name> 0.0.0.0 0.0.0.0 <gateway> [<metric>] [tunneled]


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
217
badwolf1686
B
CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
352
CPM86
CPM86
pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
576
nt8d09
nt8d09
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
569
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
542
Jared R
Jared R

Part and Inventory Search

Sponsor

Back
Top