Thursday, February 27, 2014

Cisco ASA: Remote-Access VPN Problem - Two Default Gateways On The Client

I was asked to come in and work on this remote-access VPN problem for a customer the other day.  They told me that when the Cisco ASA was configured, they never did get the remote-access working right.  The problem was not Phase I or Phase II.  That worked great.  However, they just couldn't get to anything inside the network, like their servers, etc.  So what was the problem?
Well, I have seen this sort of thing before.  I was thinking that it was probably the nonat rule or the interesting traffic ACL didn't look right.  Not much else really to look for in a VPN.  But at first glance, things did look ok with those ACLs.  Until I looked at my own routing table.  I noticed that I had two default routes on my laptop when VPN'ed into that firewall.  Why would that be?  Here is why:
This is what the ACL looked like in the config before I got to it:
access-list nonat extended permit ip any
access-list remote_access extended permit ip any

Notice in the above ACL, that the source is an "any", meaning anything ip scheme.  For remote-access VPNs, that basically equates to a default route, which explains why my routing table (on my laptop) looks like this below.

So, what do you do to fix this?  You be specific in the ACL.  Make sure that the source (in this case) is the network IP scheme of the inside of the network (192.168.1.X/24).  It will look like this ACL below:

access-list nonat extended permit ip
access-list remote_access extended permit ip

Now, when I VPN in, my routing table looks correct:

You have to remember, for remote-access users, the 'source' address is really going to modify the routing table on the remote-access client laptop, along with telling the firewall what is allowed back across to the client.

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.