Re: VPN's into ASA can't access the Internet - Page 2

whiteford · ‎06-12-2008

Hi,

I have managed to get Cisco Client VPN's and a Site-to-Site office VPN (Cisco 877) onto my Cisco ASA and all working, until I issued the "no sysopt connection permit-vpn" command. This stops VPN traffic from being exempt from access-lists.

I want to control the VPN's by access list and have create all the correct rules for "outside_access_in" and they VPN's can connect to the servers on the ports needed. Now the only thing they can't access is the internet which they could before I issued that command.

If I add "permit tcp object-group VPN_Remote_Networks 0.0.0.0 0.0.0.0 object-group Http-Https" then they can access the Internet but it also means they can access any webservers on the inside. Can I create a rule that only applies to their outbound traffic to the internet?

Thanks

francisco_1 · ‎06-12-2008

Correct. The site-site traffic will be filter by the websense server if you have "filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow" enable on the ASA. The ASA will send traffic for everything coming from the inside-outside to your websense server.

The reason why you have to create the rule on the outside to inside interface is because you have the "no sysopt connection permit-vpn" command enable. with the "no sysopt connection permit-vpn" command enable on your ASA, you are not bypassing the ACL applied to your outside interface.

The ACL rule you created that applies to your ASA outside interface is permiting only http/https for the site-site vpn traffic terminating on the ASA outside interface so so you are restricting access to the internal network based on your site-site IP ranges allowing only http/https. nothing else should be allowed to pass.

i'm i making sense?

tj.mitchell · ‎06-12-2008

You are correct, when you split-tunnel the traffic that comes through the tunnel is defined by the ACL list that you create all other traffic bypasses the tunnel and heads out the internet "normally". If you want to filter the traffic for the RA users then you have the setup correct as all traffic needs to be sent to the ASA through the VPN tunnel. I did this for a client about 2 years ago, let me see if can dig it up for you.

Another command is the "same-security traffic permit intra-interface" this will allow the traffic to traverse the same interface say coming in the outside interface then back out the outside interface "hairpinning" the traffic. The sysop command that you used is for by-passing all the ACL's for VPN traffic. That's the reason things stopped working, because the ACL's are now affecting the traffic, which you stated. If you want you can put filters to not allow traffic to the internal network on port 80 and 443, but permit to the internet.

Also, you need to ensure that your NAT's are correct for the VPN users traffic to access the internet.

This way all traffic will be sent through the ASA and then websense can be used for traffic filtering.

Hope this helps, if so please rate..

whiteford · ‎06-12-2008

If you can dig it then great!

If you want you can put filters to not allow traffic to the internal network on port 80 and 443, but permit to the internet.

This sounds like what I need...How? And I need 443 and 80 only on some internal servers but I have ACL already working for this.

tj.mitchell · ‎06-12-2008

Here's part of the configuration for the filter..

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

This will answer the other question for hairpinning the traffic as I can't find the configuration:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpnsysop.html#wp1042114

This will do what you want with the internet traffic, I have never tested this with a websense in the middle(ASA diverting traffic to it), but since the ASA needs to process the traffic it should work.

HTH, please rate if this was helpful..