Dieser Beitrag ist schon älter. Bitte vergewissern Sie sich, dass die Rahmenbedingungen oder der enthaltene Lösungsvorschlag noch dem aktuellen Stand der Technik entspricht.

Cisco VPN Gateway wrong

Mitglied: cschlecht
Hello

I have a problem with my Cisco ASA 5505. I can connect over VPN, but i receive a wrong gateway. My internal network is 192.168.1.x but my gateway is not 192.168.1.1, but i always receive this over the ip-pool from the ASA. I never configured this ip. I see a static routing entry, which mathes to the subnet, but there is no gateway entered and I couldn't change the settings. If I try to add a new route, i get the error message, that this route exists.

Can you help me please?

Thanks a lot!

Cy

Content-Key: 101778

Url: https://administrator.de/contentid/101778

Ausgedruckt am: 27.11.2021 um 06:11 Uhr

Mitglied: aqui
aqui 13.11.2008 um 18:55:56 Uhr
Goto Top
That depends on your configuration if the ASA is provding the DHCP addresses or an external DHCP server.
Following your above description then the ASA is sending the DHCP address for the client in your scenario.
So the easiest way is to edit the config of the ASA and change the gateway setting there.
Usually using VPNs the default gateway is the ASA itself. Thats logical because in case you use a Cisco VPN client he reroutes all data traffic to the ASA in case you're logged in. Ciscos client does not allow to route just only the VPN traffic.
In case you have a subnet behind the ASA then the ASA needs a static or dynamic route to reach this subnet.
Maybe it helps when you post an excerpt from the ASA config here with your DHCP pool address config.
Mitglied: cschlecht
cschlecht 13.11.2008 um 19:11:12 Uhr
Goto Top
Result of the command: "show running-config"

Saved
ASA Version 7.2(3)
!
hostname XXX
domain-name XXX
enable password XXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.x.x 255.255.x.x
!
interface Vlan2
nameif outside
security-level 0
ip address 10.1.x.x 255.255.x.x
!
interface Vlan3
nameif dmz
security-level 50
ip address 56.10.x.x 255.255.x.x
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXX encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name XXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.x.x 255.255.x.x
access-list XXX_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool XXX 192.168.x.x-192.168.x.x mask 255.255.x.x
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 X.X.x.X
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.X.X 255.255.X.X inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.X.X-192.168.X.X inside (router's ip to router's ip)
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy XXX internal
group-policy XXX attributes
wins-server value 192.168.X.X 192.168.X.X
dns-server value 192.168.X.X 192.168.X.X
vpn-tunnel-protocol IPSec
address-pools value XXX
group-policy XXX internal
group-policy XXX attributes
wins-server value 192.168.X.X 192.168.X.X
dns-server value 192.168.X.X 192.168.X.X
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXX_splitTunnelAcl
default-domain value XXX
username XXX password XXX encrypted privilege 0
username XXX attributes
vpn-group-policy ic-vpn
username XXX password XXX encrypted privilege 0
username XXX attributes
vpn-group-policy XXX
username XXX password XXX encrypted privilege 0
username XXX attributes
vpn-group-policy XXX
tunnel-group XXX type ipsec-ra
tunnel-group XXX general-attributes
address-pool XXX
default-group-policy XXX
tunnel-group XXX ipsec-attributes
pre-shared-key *
tunnel-group XXX type ipsec-ra
tunnel-group XXX general-attributes
default-group-policy XXX
dhcp-server 192.168.x.x
tunnel-group XXX ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:15bde427196f61029341c84ec81c7dda
: end

Here is my config...

Thanks!
Mitglied: aqui
aqui 13.11.2008 um 20:10:57 Uhr
Goto Top
Config looks quite ok. If your VPN is active can you ping the ASA local ethernet ip address 192.168.x.x ?

What is the output of a route print on your Client (if its windows ?!)

There should be a hostroute to the ASA Interface which is an ip address of the IP pool XXX.
This address and the vlan 1 address and addresses on vlan1 should be pingable from the client !
Mitglied: cschlecht
cschlecht 13.11.2008 um 20:22:14 Uhr
Goto Top
no, if I am connected, i could not ping the ASA and i have no route to the ASA.

why is there no route to the ASA?

I get an IP in the range of the VPN-range, subnet is ok (255.255.255.0), gateway points to 192.168.1.1, but this is not the ASA, on this IP, there is no device. DNS and WINS are correct.

I am working at home with the IP-range 192.168.1.x and in the company also, is this the problem? Here at home, i have the gatewas 192.168.1.1.

Strange...

Thanks for your help.

Cy
Mitglied: aqui
aqui 13.11.2008 um 20:59:13 Uhr
Goto Top
Ahhh...here we are ! Yepp, thats the problem !! Typical VPN ip design error...so don't worry ;-) face-wink

You now have 2 identical ip networks and routing is impossible in such a scenario cause nobody knows in which of your two 192.168.1.0 networks packets should go !

That is very often the drawback using these dumb (sorry..) 192.168.x.x ip numbering scheme.
RFC 1918 brings us a lot of more possibilities:
http://en.wikipedia.org/wiki/Private_network

So if you set your network were you're in to 172.16.1.0 /24 you should be safe and things should come to work.
If you like to stick with the 192.168. networks just choose a 3rd byte which is not used on the ASA site like 192.168.199.0 or something similar.
Mitglied: cschlecht
cschlecht 13.11.2008 um 21:03:43 Uhr
Goto Top
Ok, I will test it, i first have to plan the new addressing model. I think I will change the IPs in the company, cause i think, every employee has a 192.168.1.x subnet at home, and so it might be better, if I change this one. I will test it in the next days and will give you a feedback.

Thanks a lot and sorry...

Regards,
Cy
Mitglied: aqui
aqui 14.11.2008 um 11:23:22 Uhr
Goto Top
Yes right, that is absolutely the right strategy otherwise you'll step always again in the same trap cause 192.168.1.0 is a very common used IP adressing on consumer devices unfortunately...
I would suggest using something in the 172.16-32.x.x area or the 10.x.x.x area in the company.
There you are mostly safe in terms of VPNs and their addressing !
Mitglied: cschlecht
cschlecht 14.11.2008 um 11:46:06 Uhr
Goto Top
Thanks!

I read the wiki about the addressing ranges.

I will test it next week.

I first have to reconfigure the ASA, my domain controller, dns, dhcp, etc. :s

Regards,
Cy
Heiß diskutierte Beiträge
question
Installationsproblem Office 2021 - alle Links öffnen Edge! gelöst SarekHLVor 1 TagFrageMicrosoft Office14 Kommentare

Hallo zusammen, ich habe gerade Office 2021 auf einem Notebook installiert und habe ein seltsames Phänomen! Die Verknüpfungen zu den Office-Programmen führen allesamt zu Edge! ...

question
Umzug von Hyper-V zu VMware und erneute Aktivierung von Windowspianoman82Vor 1 TagFrageWindows Server10 Kommentare

Hallo! Ich habe eine Frage im Hinblick auf Windows-Aktivierung da mir hier aktuell der Ansatz fehlt. Es geht um die Migration von diversen Windows Server ...

question
VPN Tunnel inkonsistent? gelöst NespressoVor 1 TagFrageNetzwerkprotokolle4 Kommentare

Hallo zusammen, das Thema VPN ist bei mir recht neu, doch habe ich es hinbekommen den Windows Server 2016 eigenen VPN dienst zu konfigurieren und ...

question
WSUS Problem mit Office + ExplorerfrenchfriesguyVor 1 TagFrageWindows Update7 Kommentare

Hallo zusammen ich/wir haben folgendes Problem mit einem Teil unseres Windows-Clients (W10E, 20H2) in Verbindung mit den Windows Updates. Die Updates werden über einen WSUS-Server ...

question
Eigener Server für Groupware und Nextcloudjonny-flashVor 1 TagFrageE-Mail5 Kommentare

Hallo zusammen, ich darf für ein kleines Startup temporär die Administration übernehmen, und habe bevor es los geht ein paar Fragen, die ich hier gern ...

question
VPN- 2 Sicherheitsfunktionen gelöst TekamolosVor 1 TagFrageVerschlüsselung & Zertifikate3 Kommentare

Hallo Jungs, beim Lernen habe ich diese Frage bekommen, da es im Internet sehr viel über VPN und viel Text und Protokolle gibt, war ich ...

question
Über das Notebook per Simkarte von unterwegs aus ins Internet?isarc01Vor 19 StundenFrage5G, 4G, LTE, UMTS, EDGE & GPRS8 Kommentare

Hallo, folgende Frage: Wenn ich über mein Notebook über eine angemeldete SIM Karte mit einer Datenflatrate ins Internet gehen möchte, benötige ich hier einen bestimmten ...

question
Mobilfunk-Internet ins Heimnetzwerk integrieren? gelöst AvarianVor 13 StundenFrageNetzwerkmanagement6 Kommentare

Hallo, Ich bin neu hier. Wir sind vorletztes Jahr umgezogen. Die Gelegenheit habe ich damals direkt genutzt, um künftig auf wackelige WLAN-Lösungen (Repeater, Mesh-Repeater, Powerlines ...