Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN's into ASA can't access the Internet

Hi,

I have managed to get Cisco Client VPN's and a Site-to-Site office VPN (Cisco 877) onto my Cisco ASA and all working, until I issued the "no sysopt connection permit-vpn" command. This stops VPN traffic from being exempt from access-lists.

I want to control the VPN's by access list and have create all the correct rules for "outside_access_in" and they VPN's can connect to the servers on the ports needed. Now the only thing they can't access is the internet which they could before I issued that command.

If I add "permit tcp object-group VPN_Remote_Networks 0.0.0.0 0.0.0.0 object-group Http-Https" then they can access the Internet but it also means they can access any webservers on the inside. Can I create a rule that only applies to their outbound traffic to the internet?

Thanks

18 REPLIES
Community Member

Re: VPN's into ASA can't access the Internet

Hi

To allow VPN users to access Internet when they are in tunnel,you need to configure split tunneling.

Check for cisco site where you can get the configuration examples.

Regards,

Archana.

Re: VPN's into ASA can't access the Internet

see this http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

i suggest you use the ASDM to modify your vpn group for split-tunneling.

Please rate is this helps.

Community Member

Re: VPN's into ASA can't access the Internet

Hi, we don't want to split the traffic all traffic needs to internet the ASA as we monitor the URL's.

Re: VPN's into ASA can't access the Internet

whiteford ,

with the Split tunneling you can use ACL to control access to your corporate network across the tunnel by restricting what servers users can access based on TCP/UDP port for example. All other traffic such as instant messaging or casual browsing is sent out to the Internet via the local LAN of the VPN Client.

Community Member

Re: VPN's into ASA can't access the Internet

But what if I need the Internet traffic to be filtered by our Websense URL server which is at the HQ where the ASA is? It would mean their internet traffic is not monitored.

Re: VPN's into ASA can't access the Internet

i am trying to understand your requirements. Not sure how the websense work but when the ASA send internet requests to the websense software, are you filtering based on user account in Active directory or IP address?

Community Member

Re: VPN's into ASA can't access the Internet

The Internet needs to come in on the same route as the rest of the traffic as the URL's are monitored by our internal websense url filtering server, we need to make sure this traffic is monitored. The only way I can see this working is if I leave that http/https rule to "any" then it all works, but means they can access internal sites they don't need to.

Community Member

Re: VPN's into ASA can't access the Internet

Hi Whiteford,

When you enable split tunneling,any vpn user if he wants to access Internet it will go via like the rest of other traffic.So as in your case the rest of traffic goes via the url filtering server then access the internet.So same like this the will happen when a VPN user access the Internet

Rate it this helps!!

Regards,

Archana.

Re: VPN's into ASA can't access the Internet

whiteford

On your ASA, configure what to filter via the following commands:

*note* in this sample, all urls from any host and to any host will be filtered.

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

Any http traffic through the ASA from any devices on the inside inclduing vpn users will be send to your websense server for filtering

Community Member

Re: VPN's into ASA can't access the Internet

Do I still need to split the tunnel, if so how?

Sorry for my slow understanding, I just assumed that splitting the tunnel meant the remote sites internet didn't even come over the VPN to the ASA and out again.

Thanks

Re: VPN's into ASA can't access the Internet

see this http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

like i said use the ASDM to make the change

on the split-tunnel config, both internal and unencrypted internet traffic will pass through the ASA

Community Member

Re: VPN's into ASA can't access the Internet

Will this work for my Site-to-Site VPN too? I see the example only for Cisco VPN clients?

Many thanks

Re: VPN's into ASA can't access the Internet

The split-tunnel applies only to remote vpn users.

for the site-site vpn are you saying you want to filter web traffic also?

Community Member

Re: VPN's into ASA can't access the Internet

It will be filtered eventually but at the moment the only way to open give them the Internet is if I create a rule on the outside to inside for the site-to-sites IP ranges on http/https, but this also mean full web access to internal servers.

Re: VPN's into ASA can't access the Internet

Correct. The site-site traffic will be filter by the websense server if you have "filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow" enable on the ASA. The ASA will send traffic for everything coming from the inside-outside to your websense server.

The reason why you have to create the rule on the outside to inside interface is because you have the "no sysopt connection permit-vpn" command enable. with the "no sysopt connection permit-vpn" command enable on your ASA, you are not bypassing the ACL applied to your outside interface.

The ACL rule you created that applies to your ASA outside interface is permiting only http/https for the site-site vpn traffic terminating on the ASA outside interface so so you are restricting access to the internal network based on your site-site IP ranges allowing only http/https. nothing else should be allowed to pass.

i'm i making sense?

Bronze

Re: VPN's into ASA can't access the Internet

You are correct, when you split-tunnel the traffic that comes through the tunnel is defined by the ACL list that you create all other traffic bypasses the tunnel and heads out the internet "normally". If you want to filter the traffic for the RA users then you have the setup correct as all traffic needs to be sent to the ASA through the VPN tunnel. I did this for a client about 2 years ago, let me see if can dig it up for you.

Another command is the "same-security traffic permit intra-interface" this will allow the traffic to traverse the same interface say coming in the outside interface then back out the outside interface "hairpinning" the traffic. The sysop command that you used is for by-passing all the ACL's for VPN traffic. That's the reason things stopped working, because the ACL's are now affecting the traffic, which you stated. If you want you can put filters to not allow traffic to the internal network on port 80 and 443, but permit to the internet.

Also, you need to ensure that your NAT's are correct for the VPN users traffic to access the internet.

This way all traffic will be sent through the ASA and then websense can be used for traffic filtering.

Hope this helps, if so please rate..

Community Member

Re: VPN's into ASA can't access the Internet

If you can dig it then great!

If you want you can put filters to not allow traffic to the internal network on port 80 and 443, but permit to the internet.

This sounds like what I need...How? And I need 443 and 80 only on some internal servers but I have ACL already working for this.

Bronze

Re: VPN's into ASA can't access the Internet

Here's part of the configuration for the filter..

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

This will answer the other question for hairpinning the traffic as I can't find the configuration:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpnsysop.html#wp1042114

This will do what you want with the internet traffic, I have never tested this with a websense in the middle(ASA diverting traffic to it), but since the ASA needs to process the traffic it should work.

HTH, please rate if this was helpful..

560
Views
0
Helpful
18
Replies
CreatePlease to create content