cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1283
Views
0
Helpful
10
Replies

no split tunnel-internet access via isa in dmz

bws
Level 1
Level 1

hi,

i have configured my asa 5520 v 7.2 for remote VPN. Its is working fine. I need to provide my client access to internet without enabling split tunnel. I have gone through some doc for e.g the below one:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

the above one is not enough more me as a have a different requirement

i want my client to VPN to ASA and for accessing internet i have got ISA connected to VPN device. All my vpn clients want to access internet they should use this for internet access. My ISA server is in same subnet of VPN device by uses a different gw for internet access.

pls comment

1 Accepted Solution

Accepted Solutions

Add the below:-

group-policy staffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

group-policy staffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

group-policy newstaffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

username adel attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

username waled attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

To which ever remote VPN group you want to test with. x.x.x.x is the IP address of the ISA server.

HTH.

View solution in original post

10 Replies 10

andrew.prince
Level 10
Level 10

Adil,

To be honest - not so easy, right off the bat the easiest way I can think of is to:-

1) Tunnel All

2) Then add the below

group-policy <> attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

x.x.x.x = ISA IP Address

The above will push internet explorer proxy settings into the remote users browser. Obviously it only works with IE (ho hum) I have tested this in the lab with Squid Proxy Server, not ISA but it worked quite well.

HTH.

Great HTH,

what do you mean by tunnel all. All VPN clients are connecting as remote VPN

can i set couple of tunnels i.e. for corp network use tunnel which is point to inside device and for any 0.0.0.0 traffic point the tunnel to isa which can act as gateway?

can you send me some docs on how can this be done.

appreciate you comments.

regs,

a

Tunnel All - means you are encrypting all the traffic from the VPN client to the ASA.

Split-tunneling - which means you encrypt specific IP subnets

Tunnel all with local LAN access - which is the client can reach the local subnet (for local printing etc) anything else is encrypted.

You could set that up yes, do you have any existing remote VPN configuration? As it would be easier to modify existing tunnel policies?

here you go..

my existing VPN configuration attached. pls let me know what needs to be added.

Add the below:-

group-policy staffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

group-policy staffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

group-policy newstaffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

username adel attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

username waled attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

To which ever remote VPN group you want to test with. x.x.x.x is the IP address of the ISA server.

HTH.

great...

after aplying this will i have any issues accessing my servers applications brwoser based in my internal network

thanks,

Only if you don't have the ACL in the interface with the ISA server to allow the traffic from the lower interface into the higher interface! and of course check your NAT rules out.....other than that, configure; test and troubleshoot if required!

HTH.

many thnx

np - glad to help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: