The default behavior is to use a netmask based on the class of the ip. For instance, 10.10.10.x is a class a, so the default netmask is 255.0.0.0. When you get assigned your interface information, the default gateway should be set to the first ip of the subnet, which would be 10.0.0.1. I don't beilive this default gateway has any affect on your connection. Based on you split tunnel configuration, the software will decide to encrypt the traffic, or not, and will always send the packet to the default gateway for your physical interface. The difference is when it is identified as to be encrypted, the destination ip will be the vpn termentation point. In IOS, you can specify the netmask in your client configuration. As an example, the netmask could be 255.255.255.255, so your default gateway will be the same ip address as your vpn client assigned ip. I do not think you can specify the netmask in ASA though. But I do not think the default gateway or netmask has any affect on which packets are encrypted, and where the packets are sent.
Kingsley Charles wrote: > That's an issue that I have been facing. Just wanted to check, if > anyone is facing. > With regards > Kings > > On Mon, Feb 1, 2010 at 7:00 PM, Peter Debye <[email protected] > <mailto:[email protected]>> wrote: > > Sorry, I thought you were talking about EzVPN hardware client. > (Usually, the cisco software IPSec client for PCs is called cisco > unity > vpn client, for historical reasons and to avoid confusion.) > > I've just checked the routing table on my PC (winXP) before and after > establishing tunnel with ASA, the client version is 5.0.05.0290. > No split-tunnel list is sent; and the pool is > 172.29.3.10-172.29.4.255. > > Initial: default point to 192.168.1.1 - access-router IP. My > IP=192.168.1.33 > C:\>netstat -r > Tabla de rutas > Rutas activas: > Destino de red Máscara de red Puerta de acceso Interfaz > Métrica > 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.33 > 20 > 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 > 1 > 192.168.1.0 255.255.255.0 192.168.1.33 192.168.1.33 > 20 > 192.168.1.33 255.255.255.255 127.0.0.1 127.0.0.1 > 20 > 192.168.1.255 255.255.255.255 192.168.1.33 192.168.1.33 > 20 > 224.0.0.0 240.0.0.0 192.168.1.33 192.168.1.33 > 20 > 255.255.255.255 255.255.255.255 192.168.1.33 192.168.1.33 > 1 > 255.255.255.255 255.255.255.255 192.168.1.33 2 > 1 > Puerta de enlace predeterminada: 192.168.1.1 > ======================================================= > > > After tunnel establishment: > I've got IP=172.29.3.15 from the pool; > the default is set via that IP: 172.29.3.15; > there's one more route: to gateway (ASA, 212.17....). > > C:\>netstat -r > Tabla de rutas > Rutas activas: > Destino de red Máscara de red Puerta de acceso Interfaz > Métrica > 0.0.0.0 0.0.0.0 172.29.3.15 172.29.3.15 > 1 > 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 > 1 > 172.29.3.15 255.255.255.255 127.0.0.1 127.0.0.1 > 20 > 172.29.255.255 255.255.255.255 172.29.3.15 172.29.3.15 > 20 > 192.168.1.0 255.255.255.0 192.168.1.33 192.168.1.33 > 20 > 192.168.1.0 255.255.255.0 172.29.3.15 172.29.3.15 > 20 > 192.168.1.1 255.255.255.255 192.168.1.33 192.168.1.33 > 1 > 192.168.1.33 255.255.255.255 127.0.0.1 127.0.0.1 > 20 > 192.168.1.255 255.255.255.255 192.168.1.33 192.168.1.33 > 20 > 212.170.*.* 255.255.255.255 192.168.1.1 192.168.1.33 > 1 > 224.0.0.0 240.0.0.0 172.29.3.15 172.29.3.15 > 20 > 224.0.0.0 240.0.0.0 192.168.1.33 192.168.1.33 > 20 > 255.255.255.255 255.255.255.255 172.29.3.15 172.29.3.15 > 1 > 255.255.255.255 255.255.255.255 192.168.1.33 192.168.1.33 > 1 > 255.255.255.255 255.255.255.255 192.168.1.33 2 > 1 > Puerta de enlace predeterminada: 172.29.3.15 > ======================================================= > > Well, I don't see any routes pointing to the first address of the > pool. > (by the way, how a client can have knowledge of the "first" adrress?) > > Or am I (again) missing something? > ====================================== > > On 1 February 2010 13:33, Kingsley Charles > <[email protected] <mailto:[email protected]>> > wrote: > > Peter > > > > With routers as client, we can manipulate the routes, no issues. > > > > But, with the PC VPN client, the route is > installed automatically by the > > PC. > > > > For both the cases - split tunnel and tunnel all, a route will > be added with > > split tunnel network or default route respectively with next hop > of the IP > > address that has been leased to the PC. > > > > The behaviour, I see is that for tunnel all, the default route > is with the > > ".1" address of the address pool network. > > > > With regards > > Kings > > > > On Mon, Feb 1, 2010 at 5:41 PM, Peter Debye <[email protected] > <mailto:[email protected]>> wrote: > >> > >> I advise you to use DVTI on the hw client; with that, and with no > >> split tunnel-list received, > >> the client sets the following static routes: > >> - static to Servers' public address via wan interface > (physical); > >> - static default via DVTI. > >> (tested with vers 12.4(24)T1 on 2811 and 804(39) on asa5510) > >> > >> ========================== > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
