no split tunnel-internet access via isa in dmz

Answered Question
May 21st, 2008

hi,

i have configured my asa 5520 v 7.2 for remote VPN. Its is working fine. I need to provide my client access to internet without enabling split tunnel. I have gone through some doc for e.g the below one:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

the above one is not enough more me as a have a different requirement

i want my client to VPN to ASA and for accessing internet i have got ISA connected to VPN device. All my vpn clients want to access internet they should use this for internet access. My ISA server is in same subnet of VPN device by uses a different gw for internet access.

pls comment

I have this problem too.
0 votes

Add the below:-

group-policy staffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

group-policy staffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

group-policy newstaffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

username adel attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

username waled attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

To which ever remote VPN group you want to test with. x.x.x.x is the IP address of the ISA server.

HTH.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

Adil,

To be honest - not so easy, right off the bat the easiest way I can think of is to:-

1) Tunnel All

2) Then add the below

group-policy <> attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

x.x.x.x = ISA IP Address

The above will push internet explorer proxy settings into the remote users browser. Obviously it only works with IE (ho hum) I have tested this in the lab with Squid Proxy Server, not ISA but it worked quite well.

HTH.

adil.ibrahim Wed, 05/21/2008 - 23:08

Great HTH,

what do you mean by tunnel all. All VPN clients are connecting as remote VPN

can i set couple of tunnels i.e. for corp network use tunnel which is point to inside device and for any 0.0.0.0 traffic point the tunnel to isa which can act as gateway?

can you send me some docs on how can this be done.

appreciate you comments.

regs,

a

Tunnel All - means you are encrypting all the traffic from the VPN client to the ASA.

Split-tunneling - which means you encrypt specific IP subnets

Tunnel all with local LAN access - which is the client can reach the local subnet (for local printing etc) anything else is encrypted.

You could set that up yes, do you have any existing remote VPN configuration? As it would be easier to modify existing tunnel policies?

Correct Answer

Add the below:-

group-policy staffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

group-policy staffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

group-policy newstaffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

username adel attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

username waled attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

To which ever remote VPN group you want to test with. x.x.x.x is the IP address of the ISA server.

HTH.

adil.ibrahim Thu, 05/22/2008 - 02:23

great...

after aplying this will i have any issues accessing my servers applications brwoser based in my internal network

thanks,

Actions

This Discussion