4 Replies Latest reply: Aug 25, 2011 3:13 AM by Prima Even Ramadhan

Cisco VPN Client wrong default gateway

Alexander Makarov May 9, 2009 11:13 PM

Good Day!

I am connecting to my ASA5520 from a client with Cisco VPN Client.

I can connect no problem, and get assigned a 192.168.1.2 address, but get assigned a 192.168.1.1 default gateway ?? ( where is it coming from?)

My Inside Ip address - 192.168.1.10 and it seems to be Default Gateway for VPN Users. How can I change default gateway which assigned to my VPN users?

When I do an ipconfig /all, the Cisco VPN adapter says the following:

DHCP Enabled........... : No
IP Address................ : 192.168.1.2
Subnet Mask............. : 255.255.255.0
Default Gateway...... : 192.168.1.1 (But I need 192.168.1.10)

Any help would be greatly appreciated.

1. Re: Cisco VPN Client wrong default gateway

Paul Stewart - CCIE Security May 10, 2009 6:53 AM (in response to Alexander Makarov)

I have ran into similar issue a long time ago. This stuff seems to work better now (or at least I have not ran into it in a while). Basically, I have seen issues when there is an IP address overlap with the internal network at the enterprise with the local address of the remote pc. What I can tell you is from memory. I think the network list for the routing table on the pc is built from the split tunnel list. The default gateway depends on if split tunneling is enabled or not. If not, it should point to the VPN Client network. Otherwise, only routes will point to the vpn client network. I would not pay much attention to an "ipconfig". What I would do is a "route print" from the command line. Get familiar and play with the following commands:

route print
route add
route delete

When I have had issues with my split-tunnel acl has a shorter match than a local address, you can push down a host route using a host entry in the split tunnel acl. You can even disable split tunneling by using a 0.0.0.0 route in a split tunnel acl and push down a host route. This allows you to manipulate your route table in the windows clients. Additionally, you can override a vpn client that is configured not to split tunnel by using the route add command. For example, if your company does not permit split tunneling, but you really need to get to site x.x.x.x you can use the following command.

route add x.x.x.x mask 255.255.255.255 y.y.y.y
where y.y.y.y is your local gateway.

I have done this when consulting for companies and connected to my vpn. With the need to access x.x.x.x server while connected to my vpn, I just add a route. There is a flag that you have to add if you want it to survive a reboot though (-p)

By no means is this an answer to your question, but maybe a bit of insight. At least I hope so.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
2. Re: Cisco VPN Client wrong default gateway

Alexander Makarov May 10, 2009 8:32 AM (in response to Paul Stewart - CCIE Security)

Thanks for reply.
But I don't want to implementing split tunneling, because our company want to send all client traffic (Internet traffic also) through our ASA. And them ASA scan all traffic and permit to go to internet.
If I turn-on the split tunneling, in my local ip-setting I won't view a default gateway. Like that:


   Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.1.5
                                               192.168.1.6
   NetBIOS over Tcpip. . . . . . . . : Enabled

But I want my default gateway will be - 192.168.1.10.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
3. Re: Cisco VPN Client wrong default gateway

Paul Stewart - CCIE Security May 10, 2009 9:39 AM (in response to Alexander Makarov)

You can implement split tunneling and send down a 0 route as well as some host routes. This doesn't enable split tunneling any more than having it disabled. The misconception everywhere about split tunneling is that it is a decision that is made by the VPNC or the ASA. The settings are pushed down to the client. The pc's route table makes the final determination. If it is not what is expected, it doesn't make it to the VPN client at all and the SA is not applied. There is no way possible that I know of to force a non split tunnel policy down to a pc. It is the IP Stack at the PC that makes this decision.

Now in your case, I'm not sure what the issue is. I just wanted to take this opportunity to make sure that it is understood how this works. A route entry has to be in the route table that triggers the traffic to go out what is the vpn interface. Then there must be a route to the tunnel endpoint. This is from the perspective of the PC.

I agree with your position on split tunneling. However, this is software that is loaded on the PC. If the pc chooses to route it otherwise it can. In a perfect world, the VPN Client could watch for this. However, there is no way as an administrator to completely prevent split tunneling. I take advantage of this at least once a week to deal with overlap issue I have with my VPN and a customer's network.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
4. Re: Cisco VPN Client wrong default gateway

Prima Even Ramadhan Aug 25, 2011 3:13 AM (in response to Paul Stewart - CCIE Security)

Hi all,

I am still wondering. So, can we set the default gateway manually from the ASA for the vpn client, or can we not?
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register

Go to original post