Using a VPN3005, our VPN Clients use Groups to establish the VPN Tunnel to the 3005. We use Filters on those Groups to control which servers they can access (ie. E-Mail, Intranet, File Storage, etc.).
Usually at the end of our list of "permitted" server rules we will have a "deny all servers" rule to prevent access to all other servers and subnets that are not specifically permitted by previous rules.
Unfortunately, this also prevents them from accessing the Internet while connected to the VPN (we don't allow split tunneling).
If we do not apply any filters to the Group (Like for IT Support), traffic to the Internet goes out the Data Center connection. This is what I want for everyone, but I must put filters to restrict access to certain servers (i.e. Accounting, HR, etc..).
What rule do I need to allow VPN clients to access the Internet using our Data Center connection while connected via VPN? I'm sure it is something simple, but I just don't see it....
Thanks in advance for any suggestions or comments!
Well, the entire filter consists of a number of rules that allow traffic to individual servers including DNS, DHCP, Email, File Shares, etc.. (all the things that a user would need to get to).
At the end is a rule that basically says deny any traffic to anything. That is extreme, but when I put it together it seemed to me that the rules would be processed in order much like Cisco ACLs.
Therefore, users would get to servers and services they needed because those "permit" lists were at the top. If they were trying to go to a server that was not permitted, then the "deny all" rule would keep them from accessing other servers.
Obviously, this also blocks any web-bound traffic (and I understand this). I am looking for a specific rule that would allow traffic to the web that could be inserted before the "deny all servers" rule.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...