4 Replies Latest reply: Aug 25, 2011 3:13 AM by Prima Even Ramadhan RSS

    Cisco VPN Client wrong default gateway

    Alexander Makarov

      Good Day!


      I am connecting to my ASA5520 from a client with Cisco VPN Client.

      I can connect no problem, and get assigned a address, but get assigned a default gateway ?? ( where is it coming from?)
      My Inside Ip address - and it seems to be Default Gateway for VPN Users. How can I change default gateway which assigned to my VPN users?

      When I do an ipconfig /all, the Cisco VPN adapter says the following:


      DHCP Enabled........... : No
      IP Address................ :
      Subnet Mask............. :
      Default Gateway...... :  (But I need

      Any help would be greatly appreciated.

        • 1. Re: Cisco VPN Client wrong default gateway
          Paul Stewart  -  CCIE Security

          I have ran into similar issue a long time ago.  This stuff seems to work better now (or at least I have not ran into it in a while).  Basically, I have seen issues when there is an IP address overlap with the internal network at the enterprise with the local address of the remote pc.  What I can tell you is from memory.  I think the network list for the routing table on the pc is built from the split tunnel list.  The default gateway depends on if split tunneling is enabled or not.  If not, it should point to the VPN Client network.  Otherwise, only routes will point to the vpn client network.  I would not pay much attention to an "ipconfig".  What I would do is a "route print" from the command line.  Get familiar and play with the following commands:


          route print

          route add

          route delete


          When I have had issues with my split-tunnel acl has a shorter match than a local address, you can push down a host route using a host entry in the split tunnel acl.  You can even disable split tunneling by using a route in a split tunnel acl and push down a host route.  This allows you to manipulate your route table in the windows clients.  Additionally, you can override a vpn client that is configured not to split tunnel by using the route add command.  For example, if your company does not permit split tunneling, but you really need to get to site x.x.x.x you can use the following command.


          route add x.x.x.x mask y.y.y.y

          where y.y.y.y is your local gateway.


          I have done this when consulting for companies and connected to my vpn.  With the need to access x.x.x.x server while connected to my vpn, I just add a route.  There is a flag that you have to add if you want it to survive a reboot though (-p)


          By no means is this an answer to your question, but maybe a bit of insight.  At least I hope so.

          • 2. Re: Cisco VPN Client wrong default gateway
            Alexander Makarov

            Thanks for reply.

            But I don't want to implementing split tunneling, because our company want to send all client traffic (Internet traffic also) through our ASA. And them ASA scan all traffic and permit to go to internet.

            If I turn-on the split tunneling, in my local ip-setting I won't view a default gateway. Like that:


               Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
               DHCP Enabled. . . . . . . . . . . : No
               Autoconfiguration Enabled . . . . : Yes
               IPv4 Address. . . . . . . . . . . :
               Subnet Mask . . . . . . . . . . . :
               Default Gateway . . . . . . . . . :
               DNS Servers . . . . . . . . . . . :
               NetBIOS over Tcpip. . . . . . . . : Enabled


            But I want my default gateway will be -

            • 3. Re: Cisco VPN Client wrong default gateway
              Paul Stewart  -  CCIE Security

              You can implement split tunneling and send down a 0 route as well as some host routes.   This doesn't enable split tunneling any more than having it disabled.  The misconception everywhere about split tunneling is that it is a decision that is made by the VPNC or the ASA.  The settings are pushed down to the client.  The pc's route table makes the final determination.  If it is not what is expected, it doesn't make it to the VPN client at all and the SA is not applied.  There is no way possible that I know of to force a non split tunnel policy down to a pc.  It is the IP Stack at the PC that makes this decision.  


              Now in your case, I'm not sure what the issue is.  I just wanted to take this opportunity to make sure that it is understood how this works.  A route entry has to be in the route table that triggers the traffic to go out what is the vpn interface.  Then there must be a route to the tunnel endpoint.  This is from the perspective of the PC.


              I agree with your position on split tunneling.  However, this is software that is loaded on the PC.  If the pc chooses to route it otherwise it can.  In a perfect world, the VPN Client could watch for this.  However, there is no way as an administrator to completely prevent split tunneling.  I take advantage of this at least once a week to deal with overlap issue I have with my VPN and a customer's network.

              • 4. Re: Cisco VPN Client wrong default gateway
                Prima Even Ramadhan

                Hi all,


                I am still wondering. So, can we set the default gateway manually from the ASA for the vpn client, or can we not?