We are taught that this is what defines the traffic that is to go across the VPN. For the sake of this conversation, Im going to be talking about remote-access, not site to site VPNs. I can do site to site VPNs in another post. But I think its important for you to know what actually happens when you configure this. Not on the firewall, but on the remote end. The client side.
You see, you have to define what is allowed across the VPN. Although it is for the firewalls benefit, its also for the client side. How does the client know what is allowed. Afterall, you dont configure anything on the client side when it comes to "allowed" or "denied" traffic, right?
So, here is the thing. When you configure your ACL for encryption, you are also telling the client side what the routing table, on the client side, needs to look like. In fact, you are modifying the routing table on the client pc, with this ACL. It literally serves two purposes (for firewall and for client). So, you all know I like proof, so here is the proof.
First, lets look at two ACLs. This is on a Cisco firewall.
Here is the NAT ACL. I do have it set correctly, because in this case, its a nonat situation. And, it DOES have to be configured correctly for the VPN to work, if you are not NAT'ing.
access-list nonat extended permit ip any 10.10.12.0 255.255.255.0
Now, here is the "encryption ACL".
access-list remote_access extended permit ip any 10.10.12.0 255.255.255.0
Now, this gives it a "default route". Im going to show you what route it puts into the client side pc. Before I do though, I want to tell you that I want to be able to get to the 10.255.16.X network. That is the goal I have in mind. Also, I have my DHCP on the ASA to hand out 10.10.12.X IPs to the client side of a remote-access user. Now, lets see the routing table before I VPN into the ASA:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.5 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.5 281
192.168.0.5 255.255.255.255 On-link 192.168.0.5 281
192.168.0.255 255.255.255.255 On-link 192.168.0.5 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.5 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.5 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.15.1.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Notice its nothing special. Just what I have on my laptop when all is normal. Now, lets VPN into the ASA. The one where you see the ACLs above. Notice below, once I VPN'ed in, the highlighted routes are what is added to my routing table. The one I want you to notice though is the extra default route that was added. Now, I have two default routes: the one that is my own default gateway, and the one that the ASA put on my pc with the ACL named "remote_access".
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.5 25
0.0.0.0 0.0.0.0 10.10.12.1 10.10.12.2 100
10.10.12.0 255.255.255.0 On-link 10.10.12.2 281
10.10.12.2 255.255.255.255 On-link 10.10.12.2 281
10.10.12.255 255.255.255.255 On-link 10.10.12.2 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.5 281
192.168.0.1 255.255.255.255 On-link 192.168.0.5 100
192.168.0.5 255.255.255.255 On-link 192.168.0.5 281
192.168.0.5 255.255.255.255 10.10.12.1 10.10.12.2 281
192.168.0.255 255.255.255.255 On-link 192.168.0.5 281
192.168.0.255 255.255.255.255 10.10.12.1 10.10.12.2 281
216.109.3.131 255.255.255.255 192.168.0.1 192.168.0.5 100
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.5 281
224.0.0.0 240.0.0.0 On-link 10.10.12.2 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.5 281
255.255.255.255 255.255.255.255 On-link 10.10.12.2 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.15.1.1 Default
===========================================================================
Now, remember, I want to get to the 10.255.16.X network. But, you dont see it here, except in the default route (which I have two). Let me ping the address I want to get to, to verify I cant get to it:
C:\Users\skillen>ping 10.255.16.7
Pinging 10.255.16.7 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.255.16.7:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\skillen>route delete 0.0.0.0 mask 0.0.0.0 10.10.12.1
OK!
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.5 25
10.10.12.0 255.255.255.0 On-link 10.10.12.2 281
10.10.12.2 255.255.255.255 On-link 10.10.12.2 281
10.10.12.255 255.255.255.255 On-link 10.10.12.2 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.5 281
192.168.0.1 255.255.255.255 On-link 192.168.0.5 100
192.168.0.5 255.255.255.255 On-link 192.168.0.5 281
192.168.0.5 255.255.255.255 10.10.12.1 10.10.12.2 281
192.168.0.255 255.255.255.255 On-link 192.168.0.5 281
192.168.0.255 255.255.255.255 10.10.12.1 10.10.12.2 281
216.109.3.131 255.255.255.255 192.168.0.1 192.168.0.5 100
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.5 281
224.0.0.0 240.0.0.0 On-link 10.10.12.2 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.5 281
255.255.255.255 255.255.255.255 On-link 10.10.12.2 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.15.1.1 Default
===========================================================================
Notice in the above "route print" on the remote-access client, the default route that the ASA put in is gone. I took it out with the route delete command in a DOS prompt. Im still connected though to the ASA via the Cisco VPN client.
Now, lets add our own route in a DOS prompt on the remote-access client. We are going to add in the 10.255.16.X network, so that we can get across the VPN to the destination I really want to get to. Our default gateway for that will be the IP address of the ASA (10.10.12.1).
C:\Users\skillen>route add 10.255.16.0 mask 255.255.255.0 10.10.12.1
OK!
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.5 25
10.10.12.0 255.255.255.0 On-link 10.10.12.2 281
10.10.12.2 255.255.255.255 On-link 10.10.12.2 281
10.10.12.255 255.255.255.255 On-link 10.10.12.2 281
10.255.16.0 255.255.255.0 10.10.12.1 10.10.12.2 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.5 281
192.168.0.1 255.255.255.255 On-link 192.168.0.5 100
192.168.0.5 255.255.255.255 On-link 192.168.0.5 281
192.168.0.5 255.255.255.255 10.10.12.1 10.10.12.2 281
192.168.0.255 255.255.255.255 On-link 192.168.0.5 281
192.168.0.255 255.255.255.255 10.10.12.1 10.10.12.2 281
216.109.3.131 255.255.255.255 192.168.0.1 192.168.0.5 100
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.5 281
224.0.0.0 240.0.0.0 On-link 10.10.12.2 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.5 281
255.255.255.255 255.255.255.255 On-link 10.10.12.2 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.15.1.1 Default
===========================================================================
Notice above, the highlighted new route on my laptop for the 10.255.16.X network. Its in place and pointed to the ASA. Keep in mind, what I just put in does still fall under the "remote_access" ACL (meaning the source of "10.255.16.X" is covered under "any"). Now, lets ping that IP address of 10.255.16.7 now.
C:\Users\skillen>ping 10.255.16.7
Pinging 10.255.16.7 with 32 bytes of data:
Reply from 10.255.16.7: bytes=32 time=57ms TTL=63
Reply from 10.255.16.7: bytes=32 time=98ms TTL=63
Reply from 10.255.16.7: bytes=32 time=56ms TTL=63
Reply from 10.255.16.7: bytes=32 time=51ms TTL=63
Ping statistics for 10.255.16.7:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 51ms, Maximum = 98ms, Average = 65ms
Now we are in good shape. You can do this route modification on your laptop as long as the destination falls under the same range as the source in the encryption ACL. Its rare that you will ever want to modify this. However, I have, in times past, needed to do so to get to what I wanted to. Thankfully, you do still have some control.
Nice!! Excellent post Shane...I like digging into the internals of various network technologies. And who would have figured that there is still a need for the good old DOS command prompt!!
ReplyDelete