Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1147
Views
0
Helpful
18
Replies

VPN's into ASA can't access the Internet

whiteford
Level 1
Level 1

‎06-12-2008 12:41 AM - edited ‎03-11-2019 05:58 AM

Hi,

I have managed to get Cisco Client VPN's and a Site-to-Site office VPN (Cisco 877) onto my Cisco ASA and all working, until I issued the "no sysopt connection permit-vpn" command. This stops VPN traffic from being exempt from access-lists.

I want to control the VPN's by access list and have create all the correct rules for "outside_access_in" and they VPN's can connect to the servers on the ports needed. Now the only thing they can't access is the internet which they could before I issued that command.

If I add "permit tcp object-group VPN_Remote_Networks 0.0.0.0 0.0.0.0 object-group Http-Https" then they can access the Internet but it also means they can access any webservers on the inside. Can I create a rule that only applies to their outbound traffic to the internet?

Thanks

Labels:
0 Helpful
18 Replies 18

marchanamendon
Level 1
Level 1

‎06-12-2008 01:48 AM

Hi

To allow VPN users to access Internet when they are in tunnel,you need to configure split tunneling.

Check for cisco site where you can get the configuration examples.

Regards,

Archana.

0 Helpful

francisco_1
Level 7
Level 7
In response to marchanamendon

‎06-12-2008 02:20 AM

see this http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

i suggest you use the ASDM to modify your vpn group for split-tunneling.

Please rate is this helps.

0 Helpful

whiteford
Level 1
Level 1
In response to francisco_1

‎06-12-2008 02:23 AM

Hi, we don't want to split the traffic all traffic needs to internet the ASA as we monitor the URL's.

0 Helpful

francisco_1
Level 7
Level 7
In response to whiteford

‎06-12-2008 02:37 AM

whiteford ,

with the Split tunneling you can use ACL to control access to your corporate network across the tunnel by restricting what servers users can access based on TCP/UDP port for example. All other traffic such as instant messaging or casual browsing is sent out to the Internet via the local LAN of the VPN Client.

0 Helpful

whiteford
Level 1
Level 1
In response to francisco_1

‎06-12-2008 02:42 AM

But what if I need the Internet traffic to be filtered by our Websense URL server which is at the HQ where the ASA is? It would mean their internet traffic is not monitored.

0 Helpful

francisco_1
Level 7
Level 7
In response to whiteford

‎06-12-2008 02:55 AM

i am trying to understand your requirements. Not sure how the websense work but when the ASA send internet requests to the websense software, are you filtering based on user account in Active directory or IP address?

0 Helpful

whiteford
Level 1
Level 1
In response to marchanamendon

‎06-12-2008 02:26 AM

The Internet needs to come in on the same route as the rest of the traffic as the URL's are monitored by our internal websense url filtering server, we need to make sure this traffic is monitored. The only way I can see this working is if I leave that http/https rule to "any" then it all works, but means they can access internal sites they don't need to.

0 Helpful

marchanamendon
Level 1
Level 1
In response to whiteford

‎06-12-2008 03:18 AM

Hi Whiteford,

When you enable split tunneling,any vpn user if he wants to access Internet it will go via like the rest of other traffic.So as in your case the rest of traffic goes via the url filtering server then access the internet.So same like this the will happen when a VPN user access the Internet

Rate it this helps!!

Regards,

Archana.

0 Helpful

francisco_1
Level 7
Level 7
In response to whiteford

‎06-12-2008 03:24 AM

whiteford

On your ASA, configure what to filter via the following commands:

*note* in this sample, all urls from any host and to any host will be filtered.

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

Any http traffic through the ASA from any devices on the inside inclduing vpn users will be send to your websense server for filtering

0 Helpful

whiteford
Level 1
Level 1
In response to francisco_1

‎06-12-2008 04:19 AM

Do I still need to split the tunnel, if so how?

Sorry for my slow understanding, I just assumed that splitting the tunnel meant the remote sites internet didn't even come over the VPN to the ASA and out again.

Thanks

0 Helpful

francisco_1
Level 7
Level 7
In response to whiteford

‎06-12-2008 04:21 AM

see this http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

like i said use the ASDM to make the change

on the split-tunnel config, both internal and unencrypted internet traffic will pass through the ASA

0 Helpful

whiteford
Level 1
Level 1
In response to francisco_1

‎06-12-2008 05:05 AM

Will this work for my Site-to-Site VPN too? I see the example only for Cisco VPN clients?

Many thanks

0 Helpful

francisco_1
Level 7
Level 7
In response to whiteford

‎06-12-2008 05:16 AM

The split-tunnel applies only to remote vpn users.

for the site-site vpn are you saying you want to filter web traffic also?

0 Helpful

whiteford
Level 1
Level 1
In response to francisco_1

‎06-12-2008 05:27 AM

It will be filtered eventually but at the moment the only way to open give them the Internet is if I create a rule on the outside to inside for the site-to-sites IP ranges on http/https, but this also mean full web access to internal servers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card