VPN Client and no Default Gateway.....

Discussion in 'Cisco' started by TimParker, Jan 23, 2009.

  1. TimParker

    TimParker Guest

    I am working on setting up a remote VPN Client on my laptop to test
    connecting to our ASA5505. I get an IP, DNS servers, Wins, etc. But, I
    don't get a default gateway.....I can't seem to find where to
    configure this either through the command line or through ASDM. Can
    anyone enlighten me?
     
    TimParker, Jan 23, 2009
    #1
    1. Advertisements

  2. TimParker

    Darren Green Guest

    Hi Tim,

    I am a bit rusty on the old ASA front but I can't remember setting this
    feature myself either.

    When testing my VPN client to our VPN Concentrator I see that the VPN
    Head End has assigned me an IP address of 192.168.1.200 and my default
    gateway is the same. I acknowledge that this is not to an ASA but I
    would suspect the result will be the same.

    What are you trying to do ?

    I assume you have enabled features like split tunneling so that when the
    client authenticates to the ASA it knows which subnets to route across
    the VPN. Right click on the VPN padlock and select statistics and then
    route details. You will see what networks are secured. If this is
    0.0.0.0 then all remote traffic is going to be tunneled, alternatively
    you may have specific subnet addresses.

    Regards

    Darren
     
    Darren Green, Jan 24, 2009
    #2
    1. Advertisements

  3. TimParker

    TimParker Guest

    Thanks for the reply Darren.

    I am just trying to test and get configured access for my remote users
    to start getting them off our old Watchguard
    equipment and onto the ASA for VPN connections. I am actually writing
    this from my laptop with Windows 7, the
    Cisco 5.0.02 client and I just reconnected.

    Here is the pertinent output from IPCONFIG /ALL

    Ethernet adapter Local Area Connection 2:

    Connection-specific DNS Suffix . : mops-ohio.local
    Description . . . . . . . . . . . : Cisco Systems VPN Adapter
    Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::b527:5172:789b:b0a4%17
    (Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.16.95(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DHCPv6 IAID . . . . . . . . . . . : 436209050
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-02-
    E8-25-00-11-43-42-0B-DD

    DNS Servers . . . . . . . . . . . : 192.168.16.3
    192.168.16.6
    Primary WINS Server . . . . . . . : 192.168.16.3
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Our set up in the office is 192.168.16.x for the internal LAN. I
    picked out a range of IPS that are not in use for my remote
    VPN users to use. 192.168.16.95-99 (for my initial testing). I get my
    IP, DNS, WINS. But notice that I don't have a Gateway
    on this interface. Is this my just not understanding the concepts for
    the VPN connections?

    When I did what you mentioned and looked at statistics, it shows that
    192.168.16.x will be going across the VPN. At this
    time I don't have the local LAN option selected. I am starting to
    wonder if this is just me not fully understanding the concept
    or seeing what I think I should see....
     
    TimParker, Jan 25, 2009
    #3
  4. TimParker

    Darren Green Guest

    Hi Tim,

    It looks OK to me, just wish I had a ASA to check it out on but
    unfortunately I don't.

    The VPN config wizard should take you through all the relevant setting
    if you use the Gui. As long as you define a split tunnel acl and make
    sure that you have No-Nat set up back to your local pool that should be
    OK. Of course this is in addition to IPSEC Phase 1 and 2 parameters.
    There will be a menu option where you can view all the commands that the
    ASA will write to the config before actually applying them. It's a good
    way to look at the synatx and study how things are constructed.

    In respect of the VPN pool this would be OK. I normally pick something
    different and add a route to it on a router pointing back at the Firewall.

    I believe there is a check box to allow local lan access, you refer to
    this so I assume you have already enabled it.

    Good luck

    Regards

    Darren
     
    Darren Green, Jan 25, 2009
    #4
  5. TimParker

    TimParker Guest

    Darren (or others)

    Can you recommend any good books or sites, whitepapers, etc. for
    working with VPN and rules, best practices, etc. This is my first
    attempt at
    VPN's with Cisco. I have been going through the cisco site and have
    printed out quite a few docs on different things. I think I am to the
    point where I
    need to get some rules in place to allow me remotely to try working
    with some of our internal machines.

    I want to make sure I set everything up so that I don't put myself
    into a corner down the road. I currently just have an object created
    for myself and am
    allowing some specific ports to the ASA to allow me to connect. Now I
    need to get to specifics. Do I just use that object as my source then
    on the different
    interface (inside) and create objects for what I need to get to?
     
    TimParker, Jan 26, 2009
    #5
  6. TimParker

    Darren Green Guest

    Hi Tim,

    When I did my VPN Cisco stuff ages ago I purchase a book by Richard Deal
    (The Complete Cisco VPN Configuration Guide). I read it end to end and
    it was very good. It's been updated since but the ISBN on the copy I
    have is 1-58705-204-0.

    It may be worthwhile posting a sanitized config to the newsgroup for
    your ASA. Someone will likely comment on any errors in your config.

    In your post above if you are refering to object groups, I used exactly
    that to create them for access into my networks + access into Firewalls
    / ASA's for different ports. THis isn't hte only use for object groups
    though, you can use them for all sorts of reasons including connectivity
    to / from the firewall, vpn's etc. (NB Of course you can always access
    the firewall directly by SSH - see below)

    http://www.cisco.com/en/US/products...s_configuration_example09186a008069bf1b.shtml

    Regards

    Darren
     
    Darren Green, Jan 27, 2009
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.