Cisco Cisco ASA 5555-X Adaptive Security Appliance - No Payload Encryption 문제 해결 가이드
security−level 0
ip address 198.51.100.100 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security−level 100
ip address 10.1.0.1 255.255.255.0
!
same−security−traffic permit intra−interface
!
ip local pool VPNpool 10.255.0.1−10.255.0.255
!
route outside 0.0.0.0 0.0.0.0 198.51.100.1
route inside 10.0.0.0 255.0.0.0 10.1.0.2
Router configuration highlights are shown in this example:
interface FastEthernet0
description connected to the inside interface of the ASA G0/1
ip address 10.1.0.2 255.255.255.0
!
interface FastEthernet1
description connected to network segment
ip address 10.2.0.1 255.255.255.0
!
interface FastEthernet2
description connected to other network segment
ip address 10.3.0.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.0.1
The routing table of the router connected to the inside of the ASA simply has a default route pointed to the
ASA inside interface of 10.1.0.1.
ASA inside interface of 10.1.0.1.
While the user is connected via VPN to the ASA, the ASA routing table shows as follows:
ASA# show route
Codes: C − connected, S − static, I − IGRP, R − RIP, M − mobile, B − BGP
D − EIGRP, EX − EIGRP external, O − OSPF, IA − OSPF inter area
N1 − OSPF NSSA external type 1, N2 − OSPF NSSA external type 2
E1 − OSPF external type 1, E2 − OSPF external type 2, E − EGP
i − IS−IS, L1 − IS−IS level−1, L2 − IS−IS level−2, ia − IS−IS inter area
* − candidate default, U − per−user static route, o − ODR
P − periodic downloaded static route
Gateway of last resort is 198.51.100.1 to network 0.0.0.0
S 10.255.0.100 255.255.255.255 [1/0] via 198.51.100.1, outside
S 10.0.0.0 255.0.0.0 [1/0] via 10.1.0.2, inside
C 198.51.100.0 255.255.255.0 is directly connected, outside
C 10.1.0.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 198.51.100.1, outside
The problem occurs when the remote access VPN user disconnects from the VPN. At this point, the
host−based route is removed from the ASA routing table. If a host inside the network attempts to send traffic
to the VPN client, that traffic is routed to the ASA inside interface by the router. This series of steps occurs:
host−based route is removed from the ASA routing table. If a host inside the network attempts to send traffic
to the VPN client, that traffic is routed to the ASA inside interface by the router. This series of steps occurs:
The packet destined to 10.255.0.100 arrives on the inside interface of the ASA.
1.
Standard ACL checks are performed.
2.
The ASA routing table is checked in order to determine the egress interface for this traffic.
3.