This document describes how to configure the Adaptive Security Appliance (ASA) to route the SSL VPN traffic through the tunneled default gateway (TDG). When you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA that cannot be routed using learned or static routes is sent to this route. For traffic emerging from a tunnel, this route overrides any other configured or learned default routes.
Ensure that you meet these requirements before you attempt this configuration:
ASA that runs on version 8.x
Cisco SSL VPN Client (SVC) 1.x
Note: Download the SSL VPN Client package (sslclient-win*.pkg) from Cisco Software Download (registered customers only) . Copy the SVC to the flash memory on the ASA. The SVC needs to be downloaded to the remote user computers in order to establish the SSL VPN connection with the ASA.
The information in this document is based on these software and hardware versions:
Cisco 5500 Series ASA that runs software version 8.x
Cisco SSL VPN Client version for Windows 184.108.40.206
PC that runs Windows 2000 Professional or Windows XP
Cisco Adaptive Security Device Manager (ASDM) version 6.1(5)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
The SSL VPN Client (SVC) is a VPN tunneling technology that gives remote users the benefits of an IPSec VPN client without the need for network administrators to install and configure IPSec VPN clients on remote computers. The SVC uses the SSL encryption that is already present on the remote computer as well as the WebVPN login and authentication of the Security Appliance.
In the current scenario, there is an SSL VPN client connecting to the internal resources behind the ASA through the SSL VPN tunnel. The split-tunnel is not enabled. When the SSL VPN client is connected to the ASA, all the data will be tunneled. Besides accessing the internal resources, the main criterion is to route this tunneled traffic through the Default Tunneled Gateway (DTG).
You can define a separate default route for tunneled traffic along with the standard default route. Unencrypted traffic received by the ASA, for which there is no static or learned route, is routed through the standard default route. Encrypted traffic received by the ASA, for which there is no static or learned route, will be passed to the DTG defined through the tunneled default route.
In order to define a tunneled default route, use this command:
route <if_name> 0.0.0.0 0.0.0.0 <gateway_ip> tunneled
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
This document uses this network setup:
In this example, the SSL VPN Client accesses the inside network of the ASA through the tunnel. The traffic meant for destinations other than the inside network are also tunneled, as there is no split-tunnel configured, and are routed through the TDG (192.168.100.20).
After the packets are routed to the TDG, which is Router 2 in this case, it performs the address translation to route those packets ahead to the Internet. For more information on configuring a router as an Internet Gateway, refer to How to Configure a Cisco Router Behind a Non-Cisco Cable Modem.
This document assumes the basic configurations, such as interface configuration, are complete and work properly.
Note: Refer to Allowing HTTPS Access for ASDM for information on how to allow the ASA to be configured by the ASDM.
Note: WebVPN and ASDM cannot be enabled on the same ASA interface unless you change the port numbers. Refer to ASDM and WebVPN Enabled on the Same Interface of ASA for more information.
Complete these steps in order to configure the SSL VPN by using the SSL VPN Wizard.
From the Wizards menu, choose SSL VPN Wizard.
Click the Cisco SSL VPN Client check box, and click Next.
Enter a name for the connection in the Connection Name field, and then choose the interface that is being used by the user to access the SSL VPN from the SSL VPN Interface drop-down list.
Choose an authentication mode, and click Next. (This example uses local authentication.)
Create a new group policy other than the existing default group policy.
Create a new pool of addresses which will be assigned to the SSL VPN client PCs once they get connected.
A pool of range 192.168.10.40-192.168.10.50 has been created by name newpool.
Click Browse in order to choose and upload the SSL VPN Client image to the flash memory of the ASA.
Click Upload in order to set the file path from the local directory of the machine.
Click Browse Local Files in order to select the directory where the sslclient.pkg file exists.
Click Upload File in order to upload the selected file to the flash of ASA.
Once the file is uploaded on to the flash of ASA, click OK to complete that task.
Now it shows the latest anyconnect pkg file uploaded on to the flash of ASA. Click Next.
The summary of the SSL VPN client configuration is shown. Click Finish to complete the wizard.
The configuration shown in ASDM mainly pertains to the SSL VPN client Wizard configuration.
In the CLI, you can observe some additional configuration. The complete CLI configuration is shown below and important commands have been highlighted.
ASA Version 8.0(4)
enable password 8Ry2YjIyt7RRXU24 encrypted
ip address 220.127.116.11 255.255.255.224
ip address 192.168.100.2 255.255.255.0
ip address 10.1.1.1 255.255.255.0
no ip address
no ip address
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
!--- ACL to define the traffic to be exempted from NAT.
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu manage 1500
!--- Creating IP address block to be assigned for the VPN clients
ip local pool newpool 192.168.10.40-192.168.10.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
!--- The traffic permitted in "nonat" ACL is exempted from NAT.
nat (inside) 1 192.168.100.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 18.104.22.168 1
!--- Default route is configured through "inside" interface for normal traffic.
route inside 0.0.0.0 0.0.0.0 192.168.100.20 tunneled
!--- Tunneled Default route is configured through "inside" interface for encrypted traffic
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
!--- Configuring the ASA as HTTP server.
http 10.1.1.0 255.255.255.0 manage
!--- Configuring the network to be allowed for ASDM access.
!--- Output is suppressed
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection statistics access-list
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
!--- Output suppressed
!--- Enable WebVPN on the outside interface
svc image disk0:/sslclient-win-22.214.171.124.pkg 1
!--- Assign the AnyConnect SSL VPN Client image to be used
!--- Enable the ASA to download SVC images to remote computers
group-policy grppolicy internal
!--- Create an internal group policy "grppolicy"
group-policy grppolicy attributes
!--- Specify SSL as a permitted VPN tunneling protocol
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 15
!--- Create a user account "cisco"
tunnel-group Test type remote-access
!--- Create a tunnel group "Test" with type as remote access
tunnel-group Test general-attributes
!--- Associate the address pool vpnpool created
!--- Associate the group policy "clientgroup" created
prompt hostname context
The commands given in this section can be used to verify this configuration.
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
There is currently no specific troubleshooting information available for this configuration.