We have a cymphonix web filter appliance that bridges between the internal network and the ASA Firewall.
I have a couple of sites on L2L VPN's I'd like teh web traffic routed through the Cymphonix device, which means pushing out the inside interface and letting it bounch back out through the "proper" channels. The simplest way I could think of was to set the Tunnel gateway address to my internal main router. However, when I do this my remote VPN sites lose internet access (tunnel stays available for local traffic). Right now the remote sites access the internet directly through the outside interface of the ASA. See below cfg snippet, other site is configured identically.
access-list PVL_VPN extended permit ip any 192.168.118.0 255.255.255.0
access-list nonat extended permit ip any 192.168.118.0 255.255.255.0
nat (Outside) 1 192.168.118.0 255.255.255.0
route Outside 192.168.118.0 255.255.255.0 22.214.171.124 1
Will my intended scenario work at all? Seemed simple enough, change the gateway to an internal router with a route back out. But in practice it isn't as easy.
When you configured a tunnel default gateway on the ASA, it will send all encrypted traffic to that gateway (internal router).
This will disrupt Internet access for remote VPNs (if not using split tunneling).
The solution as you mentioned, is to have a route back out on the internal router pointing to the Internet again (at least for the VPN clients).
What is the problem that you see with implementing this?
I assumed the default route on my internal router would handle this. It points back to the inside interface of the ASA which should send any 0.0.0.0 traffic back through the Cymphnix box and out to the internet. But this isn't what happened.
If the internal router has a default route pointing to the ASA, and the ASA has a default gateway to the Internet it should work... but check the following...
If the traffic from the remote VPN clients are terminating on the ASA and then send to the internal router, the internal router will send them back to the ASA to the Internet.
The ASA should have a NAT statement that allows the pool of VPN client addresses to get NATed to the Internet.
Let's say the pool of VPN addresses is: 10.x.x.x/24
So, when traffic from 10.x.x.x/24 is getting back to the inside interface of the ASA (from the internal router), the ASA should be able to NAT this traffic:
nat (inside) 1 10.x.x.0 255.255.255.0
global (outside) 1 interface
I believe the traffic from the remote VPN clients are getting to the tunnel default gateway, back to the ASA, and then die? Is this happening?
If this is so, check the NAT configuration on the ASA.
If the problem persists, please let us know where does the traffic seem to stop.
I just turned on some debugging on me internal router to see if I could see packets coming from my VPN location to the internal router and I could not. NAT is set up correctly for outgoing connections, my 14 other non-vpn sites are fine. VPN sites are fine until I change the gateway. Very strange.
Is there an outbound ACL on the inside interface of the ASA preventing the VPN traffic to reach the inside router?
You might want to try a traceroute from the VPN client when going to the Internet and see if the traffic reaches the internal router.
If the traffic is not reaching the internal router, could you verify if the ASA is sending that traffic to the internal router?
You can do this with an ACL applied outbound to the inside interface of the ASA, for example:
access-list test-vpn permit ip 10.x.x.0 255.255.255.0 any
access-list test-vpn permit ip any any
access-group test-vpn out interface inside
If doing a ''sh access-list test-vpn'' you see hitcounts on the first line, you know the ASA is sending the traffic from the remote clients to the inside router.
We will need to determine why you don't see this traffic reaching the router itself.
If you don't see hitcounts, most likely the ASA is rerouting the traffic backout another interface, or dropping the traffic.
Which case it is?
You were right... it should work.... that is if the dummy who is configuring it applies the tunnel gateway on the correct interface! I realized after banging my head against the wall, that I should be applying the gateway to the INSIDE interface, not the OUTSIDE interface. I switched and "VIOLA!" filtered web access! It always helps to apply things to the correct interfaces!
I am trying to do the same thing. I have not yet placed my web filter inline pending my testing. I have a layer 3 switch on the inside interface of my ASA and it has a default route to the ASA.
My VPN clients are in pool 10.1.111.0/24
My inside network is 10.2.0.0/16 and 10.1.105.0/24, the inside interface is named APP
My outside PAT address for 10.1.111.0/24 is 62.x.x.62
Layer 3 switch IP: 10.2.1.1
ASA inside interface is 10.2.1.3
ASA configuration snippets:
! Route statements in ASA:
route Public 0.0.0.0 0.0.0.0 y.y.y.y 1 ! (y.y.y.y is my real outside address, 62.x.x.0/64 is a routed network to y.y.y.y)
route APP 0.0.0.0 0.0.0.0 10.2.1.1 tunneled
route APP APP-network 255.255.255.0 10.2.1.1 1
route APP Internal-network 255.255.0.0 10.2.1.1 1
APP-network = 10.1.105.0
Internal-network = 10.2.0.0
! Last statement of APP_access_in ACL which allows my VPN addresses to pass through from the inside (APP) to anywhere:
access-list APP_access_in extended permit ip 10.1.111.0 255.255.255.0 any
! NAT Exempt inside (APP) when communicating with 10.1.0.0/16 (includes VPN clients)
access-list APP_nat0_outbound extended permit ip Internal-network 255.255.0.0 10.1.0.0 255.255.0.0
global (Public) 2 62.x.x.62 netmask 255.0.0.0
nat (Public) 2 10.1.111.0 255.255.255.0 ! NAT the VPN client
GUI log messages:
6|Jun 08 2010|23:46:28|302020|126.96.36.199|0|10.1.111.11|7|Built inbound ICMP connection for faddr 188.8.131.52/0 gaddr 62.xxx.xxx.62/5 laddr 10.1.111.11/7
6|Jun 08 2010|23:46:28|302020|10.1.111.11|7|184.108.40.206|0|Built outbound ICMP connection for faddr 220.127.116.11/0 gaddr 62.xxx.xxx.62/5 laddr 10.1.111.11/7
It looks as if my ping goes out and comes back but 10.1.111.11 (VPN client) does not see the echo reply. If I remove the tunneled route, I do get the replies
no route APP 0.0.0.0 0.0.0.0 10.2.1.1 tunneled
So, it appears I am going from VPN Client -> ASA -> inside layer 3 switch -> ASA -> 18.104.22.168 -> ASA -> drops
Based on my SHOW XLATE and the above log message, I am translating 10.1.111.11 to 62.xxx.xxx.62.
Any help why my VPN client cannot communicate with the Internet?
Could anyone post/send me a working config (sanitized, of course)?