Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1367
Views
0
Helpful
5
Replies

VPN clients unable to access internet

darragh long
Level 1
Level 1

‎09-28-2010 02:37 AM

Hi folks,

I have an ASA 5510 running 8.2(2)17 code which is terminating remote access vpns.   the vpn users connect using cisco vpn client (version 5.0.06.0160)

The ASA is also using a websense device for url filtering.

Local users can access the internet, and are having their traffic filtered correctly by Websense, but VPN users cannot access the internet (the vpn negotiates correctly, and they can access internal networks).

From running packet captures, it looks like traffic from the vpn clients is leaving the asa, but I'm not seeing corresponding return traffic.

There are two things that strike me as odd/bad:

1 - when I connect to the vpn, the default gateway that i am assigned is the first address in the vpn dhcp pool (ie the vpn pool is 1.1.1.1 to 1.1.1.250/24 ... I am assigned the address 1.1.1.10, and my default gateway is 1.1.1.1).    I have not configured this default gateway anywhere on the ASA.

2 - my pc's routing table shows two default gateways.   the first goes via my wireless network, and has a metric of 25

the second is via the vpn gateway mentioned above (1.1.1.1) and has a metric of 26, which should be less preferable)   I would have thought that the vpn gateway should be the preferred route.   the routing table also shows no routes to internal networks (even though they are accessible over the vpn)

Any help or suggestions would be greatly appreciated.

Thanks,

Darragh

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-28-2010 03:27 AM

A few questions to ask:

1) How do you direct the VPN users to use Websense for URL filtering? through proxy settings?

2) Is the VPN configured with split tunneling or no split tunneling?

The two things that you thought is bad is actually normal. The traffic before it gets encrypted will be routed towards the VPN tunnel, hence you are seeing the default gateway that you didn't configure. That is normal as traffic will be encrypted via the vpn client and gets sent to the ASA.

0 Helpful

darragh long
Level 1
Level 1
In response to Jennifer Halim

‎09-28-2010 03:53 AM

Hi Jennifer,

I haven't set up anything to explicitly point vpn users to websense (I've just configured a catch all filter list 'filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ')

I don't have split tunneling enabled.

Thanks,

Darragh

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to darragh long

‎09-28-2010 03:59 AM

If you use the "filter url" command to redirect traffic towards websense server, that only works for outbound traffic, ie: from internal network towards the internet. For VPN client, traffic is coming inbound towards the ASA outside interface, hence that will not be redirected towards the websense server.

0 Helpful

darragh long
Level 1
Level 1
In response to Jennifer Halim

‎09-28-2010 06:28 AM

Thanks again Jennifer.   Is there a way I can force the VPN users traffic to use the websense server?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to darragh long

‎09-28-2010 06:31 AM

No, unfortunately not for vpn users. Unless if you configure proxy settings on the browser to use websense however websense needs to support this as well.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents