VPN's into ASA can't access the Internet

Unanswered Question
Jun 12th, 2008
User Badges:

Hi,


I have managed to get Cisco Client VPN's and a Site-to-Site office VPN (Cisco 877) onto my Cisco ASA and all working, until I issued the "no sysopt connection permit-vpn" command. This stops VPN traffic from being exempt from access-lists.


I want to control the VPN's by access list and have create all the correct rules for "outside_access_in" and they VPN's can connect to the servers on the ports needed. Now the only thing they can't access is the internet which they could before I issued that command.


If I add "permit tcp object-group VPN_Remote_Networks 0.0.0.0 0.0.0.0 object-group Http-Https" then they can access the Internet but it also means they can access any webservers on the inside. Can I create a rule that only applies to their outbound traffic to the internet?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marchanamendon Thu, 06/12/2008 - 01:48
User Badges:

Hi


To allow VPN users to access Internet when they are in tunnel,you need to configure split tunneling.


Check for cisco site where you can get the configuration examples.


Regards,

Archana.

whiteford Thu, 06/12/2008 - 02:23
User Badges:

Hi, we don't want to split the traffic all traffic needs to internet the ASA as we monitor the URL's.

francisco_1 Thu, 06/12/2008 - 02:37
User Badges:
  • Gold, 750 points or more

whiteford ,


with the Split tunneling you can use ACL to control access to your corporate network across the tunnel by restricting what servers users can access based on TCP/UDP port for example. All other traffic such as instant messaging or casual browsing is sent out to the Internet via the local LAN of the VPN Client.


whiteford Thu, 06/12/2008 - 02:42
User Badges:

But what if I need the Internet traffic to be filtered by our Websense URL server which is at the HQ where the ASA is? It would mean their internet traffic is not monitored.

francisco_1 Thu, 06/12/2008 - 02:55
User Badges:
  • Gold, 750 points or more

i am trying to understand your requirements. Not sure how the websense work but when the ASA send internet requests to the websense software, are you filtering based on user account in Active directory or IP address?

whiteford Thu, 06/12/2008 - 02:26
User Badges:

The Internet needs to come in on the same route as the rest of the traffic as the URL's are monitored by our internal websense url filtering server, we need to make sure this traffic is monitored. The only way I can see this working is if I leave that http/https rule to "any" then it all works, but means they can access internal sites they don't need to.

marchanamendon Thu, 06/12/2008 - 03:18
User Badges:

Hi Whiteford,


When you enable split tunneling,any vpn user if he wants to access Internet it will go via like the rest of other traffic.So as in your case the rest of traffic goes via the url filtering server then access the internet.So same like this the will happen when a VPN user access the Internet


Rate it this helps!!



Regards,

Archana.

francisco_1 Thu, 06/12/2008 - 03:24
User Badges:
  • Gold, 750 points or more

whiteford


On your ASA, configure what to filter via the following commands:

*note* in this sample, all urls from any host and to any host will be filtered.

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow


Any http traffic through the ASA from any devices on the inside inclduing vpn users will be send to your websense server for filtering


whiteford Thu, 06/12/2008 - 04:19
User Badges:

Do I still need to split the tunnel, if so how?


Sorry for my slow understanding, I just assumed that splitting the tunnel meant the remote sites internet didn't even come over the VPN to the ASA and out again.


Thanks

whiteford Thu, 06/12/2008 - 05:05
User Badges:

Will this work for my Site-to-Site VPN too? I see the example only for Cisco VPN clients?


Many thanks

francisco_1 Thu, 06/12/2008 - 05:16
User Badges:
  • Gold, 750 points or more

The split-tunnel applies only to remote vpn users.


for the site-site vpn are you saying you want to filter web traffic also?

whiteford Thu, 06/12/2008 - 05:27
User Badges:

It will be filtered eventually but at the moment the only way to open give them the Internet is if I create a rule on the outside to inside for the site-to-sites IP ranges on http/https, but this also mean full web access to internal servers.

francisco_1 Thu, 06/12/2008 - 06:38
User Badges:
  • Gold, 750 points or more

Correct. The site-site traffic will be filter by the websense server if you have "filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow" enable on the ASA. The ASA will send traffic for everything coming from the inside-outside to your websense server.


The reason why you have to create the rule on the outside to inside interface is because you have the "no sysopt connection permit-vpn" command enable. with the "no sysopt connection permit-vpn" command enable on your ASA, you are not bypassing the ACL applied to your outside interface.


The ACL rule you created that applies to your ASA outside interface is permiting only http/https for the site-site vpn traffic terminating on the ASA outside interface so so you are restricting access to the internal network based on your site-site IP ranges allowing only http/https. nothing else should be allowed to pass.




i'm i making sense?

tj.mitchell Thu, 06/12/2008 - 06:51
User Badges:
  • Bronze, 100 points or more

You are correct, when you split-tunnel the traffic that comes through the tunnel is defined by the ACL list that you create all other traffic bypasses the tunnel and heads out the internet "normally". If you want to filter the traffic for the RA users then you have the setup correct as all traffic needs to be sent to the ASA through the VPN tunnel. I did this for a client about 2 years ago, let me see if can dig it up for you.


Another command is the "same-security traffic permit intra-interface" this will allow the traffic to traverse the same interface say coming in the outside interface then back out the outside interface "hairpinning" the traffic. The sysop command that you used is for by-passing all the ACL's for VPN traffic. That's the reason things stopped working, because the ACL's are now affecting the traffic, which you stated. If you want you can put filters to not allow traffic to the internal network on port 80 and 443, but permit to the internet.


Also, you need to ensure that your NAT's are correct for the VPN users traffic to access the internet.


This way all traffic will be sent through the ASA and then websense can be used for traffic filtering.


Hope this helps, if so please rate..

whiteford Thu, 06/12/2008 - 07:10
User Badges:

If you can dig it then great!


If you want you can put filters to not allow traffic to the internal network on port 80 and 443, but permit to the internet.


This sounds like what I need...How? And I need 443 and 80 only on some internal servers but I have ACL already working for this.

tj.mitchell Thu, 06/12/2008 - 08:16
User Badges:
  • Bronze, 100 points or more

Here's part of the configuration for the filter..


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml


This will answer the other question for hairpinning the traffic as I can't find the configuration:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpnsysop.html#wp1042114


This will do what you want with the internet traffic, I have never tested this with a websense in the middle(ASA diverting traffic to it), but since the ASA needs to process the traffic it should work.


HTH, please rate if this was helpful..

Actions

This Discussion