VPN clients unable to access internet

Unanswered Question
Sep 28th, 2010

Hi folks,

I have an ASA 5510 running 8.2(2)17 code which is terminating remote access vpns.   the vpn users connect using cisco vpn client (version 5.0.06.0160)

The ASA is also using a websense device for url filtering.

Local users can access the internet, and are having their traffic filtered correctly by Websense, but VPN users cannot access the internet (the vpn negotiates correctly, and they can access internal networks).

From running packet captures, it looks like traffic from the vpn clients is leaving the asa, but I'm not seeing corresponding return traffic.

There are two things that strike me as odd/bad:

1 - when I connect to the vpn, the default gateway that i am assigned is the first address in the vpn dhcp pool (ie the vpn pool is 1.1.1.1 to 1.1.1.250/24 ... I am assigned the address 1.1.1.10, and my default gateway is 1.1.1.1).    I have not configured this default gateway anywhere on the ASA.

2 - my pc's routing table shows two default gateways.   the first goes via my wireless network, and has a metric of 25

the second is via the vpn gateway mentioned above (1.1.1.1) and has a metric of 26, which should be less preferable)   I would have thought that the vpn gateway should be the preferred route.   the routing table also shows no routes to internal networks (even though they are accessible over the vpn)

Any help or suggestions would be greatly appreciated.

Thanks,

Darragh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 09/28/2010 - 03:27

A few questions to ask:

1) How do you direct the VPN users to use Websense for URL filtering? through proxy settings?

2) Is the VPN configured with split tunneling or no split tunneling?

The two things that you thought is bad is actually normal. The traffic before it gets encrypted will be routed towards the VPN tunnel, hence you are seeing the default gateway that you didn't configure. That is normal as traffic will be encrypted via the vpn client and gets sent to the ASA.

darragh long Tue, 09/28/2010 - 03:53

Hi Jennifer,

I haven't set up anything to explicitly point vpn users to websense (I've just configured a catch all filter list 'filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ')

I don't have split tunneling enabled.

Thanks,

Darragh

Jennifer Halim Tue, 09/28/2010 - 03:59

If you use the "filter url" command to redirect traffic towards websense server, that only works for outbound traffic, ie: from internal network towards the internet. For VPN client, traffic is coming inbound towards the ASA outside interface, hence that will not be redirected towards the websense server.

darragh long Tue, 09/28/2010 - 06:28

Thanks again Jennifer.   Is there a way I can force the VPN users traffic to use the websense server?

Jennifer Halim Tue, 09/28/2010 - 06:31

No, unfortunately not for vpn users. Unless if you configure proxy settings on the browser to use websense however websense needs to support this as well.

Actions

This Discussion