Cisco Cisco ASA 5512-X Adaptive Security Appliance - No Payload Encryption 문제 해결 가이드
After these commands are implemeted, the ASA routing table looks similar to this when the user is connected:
ASA# show route
Codes: C − connected, S − static, I − IGRP, R − RIP, M − mobile, B − BGP
D − EIGRP, EX − EIGRP external, O − OSPF, IA − OSPF inter area
N1 − OSPF NSSA external type 1, N2 − OSPF NSSA external type 2
E1 − OSPF external type 1, E2 − OSPF external type 2, E − EGP
i − IS−IS, L1 − IS−IS level−1, L2 − IS−IS level−2, ia − IS−IS inter area
* − candidate default, U − per−user static route, o − ODR
P − periodic downloaded static route
Gateway of last resort is 198.51.100.1 to network 0.0.0.0
S 10.255.0.100 255.255.255.255 [1/0] via 198.51.100.1, outside
S 10.0.0.0 255.0.0.0 [1/0] via 10.1.0.2, inside
S 10.255.0.0 255.255.255.0 [1/0] via 198.51.100.1, outside
C 198.51.100.0 255.255.255.0 is directly connected, outside
C 10.1.0.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 198.51.100.1, outside
When the VPN client is connected, the host−based route to that VPN IP address is present in the table and is
preferred. When the VPN client disconnects, traffic sourced from that client IP address that arrives on the
inside interface is checked against the routing table and dropped due to the ip verify reverse−path inside
command.
preferred. When the VPN client disconnects, traffic sourced from that client IP address that arrives on the
inside interface is checked against the routing table and dropped due to the ip verify reverse−path inside
command.
If the VPN client generates a directed network broadcast to the VPN IP subnet, then that packet is forwarded
to the inside router and forwarded by the router back to the ASA, where it is dropped due to the ip verify
reverse−path inside command.
to the inside router and forwarded by the router back to the ASA, where it is dropped due to the ip verify
reverse−path inside command.
Note: After this solution is implemented, if the same−security permit intra−interface command is present in
the configuration and the access policies permit it, traffic sourced from a VPN user destined to an IP address
in the VPN IP pool for a user that is not connected might be routed back out of the outside interface in
clear−text. This is a rare situation and can be mitigated with the use of vpn−filters within the VPN policy.
This situation only occurs if the same−security permit intra−interface command is present in the
configuration of the ASA.
the configuration and the access policies permit it, traffic sourced from a VPN user destined to an IP address
in the VPN IP pool for a user that is not connected might be routed back out of the outside interface in
clear−text. This is a rare situation and can be mitigated with the use of vpn−filters within the VPN policy.
This situation only occurs if the same−security permit intra−interface command is present in the
configuration of the ASA.
Likewise, if internal hosts generate traffic destined to an IP address in the VPN pool and that IP address is not
assigned to a remote VPN user, that traffic might egress the outside of the ASA in clear−text.
assigned to a remote VPN user, that traffic might egress the outside of the ASA in clear−text.
Updated: Aug 11, 2014
Document ID: 116170