cschlecht
Goto Top

Cisco VPN Gateway wrong

Hello

I have a problem with my Cisco ASA 5505. I can connect over VPN, but i receive a wrong gateway. My internal network is 192.168.1.x but my gateway is not 192.168.1.1, but i always receive this over the ip-pool from the ASA. I never configured this ip. I see a static routing entry, which mathes to the subnet, but there is no gateway entered and I couldn't change the settings. If I try to add a new route, i get the error message, that this route exists.

Can you help me please?

Thanks a lot!

Cy

Content-Key: 101778

Url: https://administrator.de/contentid/101778

Ausgedruckt am: 28.03.2024 um 22:03 Uhr

Mitglied: aqui
aqui 13.11.2008 um 18:55:56 Uhr
Goto Top
That depends on your configuration if the ASA is provding the DHCP addresses or an external DHCP server.
Following your above description then the ASA is sending the DHCP address for the client in your scenario.
So the easiest way is to edit the config of the ASA and change the gateway setting there.
Usually using VPNs the default gateway is the ASA itself. Thats logical because in case you use a Cisco VPN client he reroutes all data traffic to the ASA in case you're logged in. Ciscos client does not allow to route just only the VPN traffic.
In case you have a subnet behind the ASA then the ASA needs a static or dynamic route to reach this subnet.
Maybe it helps when you post an excerpt from the ASA config here with your DHCP pool address config.
Mitglied: cschlecht
cschlecht 13.11.2008 um 19:11:12 Uhr
Goto Top
Result of the command: "show running-config"

Saved

ASA Version 7.2(3)
!
hostname XXX
domain-name XXX
enable password XXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.x.x 255.255.x.x
!
interface Vlan2
nameif outside
security-level 0
ip address 10.1.x.x 255.255.x.x
!
interface Vlan3
nameif dmz
security-level 50
ip address 56.10.x.x 255.255.x.x
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXX encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name XXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.x.x 255.255.x.x
access-list XXX_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool XXX 192.168.x.x-192.168.x.x mask 255.255.x.x
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 X.X.x.X
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.X.X 255.255.X.X inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.X.X-192.168.X.X inside (router's ip to router's ip)
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy XXX internal
group-policy XXX attributes
wins-server value 192.168.X.X 192.168.X.X
dns-server value 192.168.X.X 192.168.X.X
vpn-tunnel-protocol IPSec
address-pools value XXX
group-policy XXX internal
group-policy XXX attributes
wins-server value 192.168.X.X 192.168.X.X
dns-server value 192.168.X.X 192.168.X.X
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXX_splitTunnelAcl
default-domain value XXX
username XXX password XXX encrypted privilege 0
username XXX attributes
vpn-group-policy ic-vpn
username XXX password XXX encrypted privilege 0
username XXX attributes
vpn-group-policy XXX
username XXX password XXX encrypted privilege 0
username XXX attributes
vpn-group-policy XXX
tunnel-group XXX type ipsec-ra
tunnel-group XXX general-attributes
address-pool XXX
default-group-policy XXX
tunnel-group XXX ipsec-attributes
pre-shared-key *
tunnel-group XXX type ipsec-ra
tunnel-group XXX general-attributes
default-group-policy XXX
dhcp-server 192.168.x.x
tunnel-group XXX ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:15bde427196f61029341c84ec81c7dda
: end

Here is my config...

Thanks!
Mitglied: aqui
aqui 13.11.2008 um 20:10:57 Uhr
Goto Top
Config looks quite ok. If your VPN is active can you ping the ASA local ethernet ip address 192.168.x.x ?

What is the output of a route print on your Client (if its windows ?!)

There should be a hostroute to the ASA Interface which is an ip address of the IP pool XXX.
This address and the vlan 1 address and addresses on vlan1 should be pingable from the client !
Mitglied: cschlecht
cschlecht 13.11.2008 um 20:22:14 Uhr
Goto Top
no, if I am connected, i could not ping the ASA and i have no route to the ASA.

why is there no route to the ASA?

I get an IP in the range of the VPN-range, subnet is ok (255.255.255.0), gateway points to 192.168.1.1, but this is not the ASA, on this IP, there is no device. DNS and WINS are correct.

I am working at home with the IP-range 192.168.1.x and in the company also, is this the problem? Here at home, i have the gatewas 192.168.1.1.

Strange...

Thanks for your help.

Cy
Mitglied: aqui
aqui 13.11.2008 um 20:59:13 Uhr
Goto Top
Ahhh...here we are ! Yepp, thats the problem !! Typical VPN ip design error...so don't worry face-wink

You now have 2 identical ip networks and routing is impossible in such a scenario cause nobody knows in which of your two 192.168.1.0 networks packets should go !

That is very often the drawback using these dumb (sorry..) 192.168.x.x ip numbering scheme.
RFC 1918 brings us a lot of more possibilities:
http://en.wikipedia.org/wiki/Private_network

So if you set your network were you're in to 172.16.1.0 /24 you should be safe and things should come to work.
If you like to stick with the 192.168. networks just choose a 3rd byte which is not used on the ASA site like 192.168.199.0 or something similar.
Mitglied: cschlecht
cschlecht 13.11.2008 um 21:03:43 Uhr
Goto Top
Ok, I will test it, i first have to plan the new addressing model. I think I will change the IPs in the company, cause i think, every employee has a 192.168.1.x subnet at home, and so it might be better, if I change this one. I will test it in the next days and will give you a feedback.

Thanks a lot and sorry...

Regards,
Cy
Mitglied: aqui
aqui 14.11.2008 um 11:23:22 Uhr
Goto Top
Yes right, that is absolutely the right strategy otherwise you'll step always again in the same trap cause 192.168.1.0 is a very common used IP adressing on consumer devices unfortunately...
I would suggest using something in the 172.16-32.x.x area or the 10.x.x.x area in the company.
There you are mostly safe in terms of VPNs and their addressing !
Mitglied: cschlecht
cschlecht 14.11.2008 um 11:46:06 Uhr
Goto Top
Thanks!

I read the wiki about the addressing ranges.

I will test it next week.

I first have to reconfigure the ASA, my domain controller, dns, dhcp, etc. :s

Regards,
Cy