hi, can any body provide

r.kukreja · ‎09-10-2014

Hi,

we have requirement that remote users want to use corporate application like file server etc and at the same time they also want to use internet on their system

what are the options available on firewall to configure this.

what kind of security threats and vulnerability challenges wil be there if user access application and internet at same time

if possible please provide solution with explanation.

regards

rajat

Karsten Iwen · ‎09-10-2014

In general: If the client can directly communicate with the internet, it's easier for an attacker to use that PC as a jump-point into the network or to compromise the client. The typical solutions to give VPN-clients internet-access are:

Place a proxy server into your internal network and reconfigure the proxy-settings of the client to use this proxy. This reconfiguration can be done automatically, controlled by the ASA. This is my favorite solution for company employees. Optionally the proxy could scan the traffic for internet-threats like malware.
If you can't or don't want to deploy a proxy you can send all Internet-traffic straight back to the internet. For that you need a NAT-rule (outside,outside) to do dynamic PAT for your VPN-Pool and you have to configure "same-security-traffic permit intra-interface". This is my second choice for company employees. With this, there is no malware scan unless you have a security-module like CX in your firewall. Still, an internet-attacker will not be able to initiate a bidirectional connection to the client. And you have a central logging for client-activity while they are connected to the VPN.
Configure split-tunneling. With that, you only send traffic that is for your company through the tunnel and all the rest is allows directly from the client to the internet. This is the least secure solution. By little misconfiguration of the client (like disabled windows firewall) the PC can be attacked by systems on the internet.

r.kukreja · ‎09-10-2014

hi karsten,

can you elaborate little bit of first solution and second more . please share any practical scenario or any implementation guide if you have. looking forward for your valuable thoughts and suggestion

regards

rajat

r.kukreja · ‎09-10-2014

hi,

can any body provide split tunnelin example on asa version 9.1

regards

rajat

nkarthikeyan · ‎09-10-2014

Hi Rajat,

You can refer the below link for a config example with explaination.

http://www.petenetlive.com/KB/Article/0000943.htm

Regards

Karthik

nkarthikeyan · ‎09-10-2014

Hi,

In case if you have a sufficient bandwidth available in your office network, go with tunnel all and make everything to go via your office network.... so that you can keep a track on internet..... else another option is to do with split-tunnel for your vpn.... only office lan network will flow through vpn and rest will flow through their local gateway..... means all traffic related to office lan.... whatever you have in internal lan or vpn acl..... it will have routed to vpn gateway and all other ( 0.0.0.0) route will go via local gateway of the end user ISP.....

If you take things via office network.... you can limit / block the unnecessary ports or protocols to access..... you can keep the content filtering / proxy servers in inside lan to block black listed sites or malware sites......

Regards

Karthik

Split tunneling challenges