Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

no split tunnel-internet access via isa in dmz

hi,

i have configured my asa 5520 v 7.2 for remote VPN. Its is working fine. I need to provide my client access to internet without enabling split tunnel. I have gone through some doc for e.g the below one:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

the above one is not enough more me as a have a different requirement

i want my client to VPN to ASA and for accessing internet i have got ISA connected to VPN device. All my vpn clients want to access internet they should use this for internet access. My ISA server is in same subnet of VPN device by uses a different gw for internet access.

pls comment

1 ACCEPTED SOLUTION

Accepted Solutions

Re: no split tunnel-internet access via isa in dmz

Add the below:-

group-policy staffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

group-policy staffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

group-policy newstaffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

username adel attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

username waled attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

To which ever remote VPN group you want to test with. x.x.x.x is the IP address of the ISA server.

HTH.

10 REPLIES

Re: no split tunnel-internet access via isa in dmz

Adil,

To be honest - not so easy, right off the bat the easiest way I can think of is to:-

1) Tunnel All

2) Then add the below

group-policy <> attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

x.x.x.x = ISA IP Address

The above will push internet explorer proxy settings into the remote users browser. Obviously it only works with IE (ho hum) I have tested this in the lab with Squid Proxy Server, not ISA but it worked quite well.

HTH.

Community Member

Re: no split tunnel-internet access via isa in dmz

Great HTH,

what do you mean by tunnel all. All VPN clients are connecting as remote VPN

can i set couple of tunnels i.e. for corp network use tunnel which is point to inside device and for any 0.0.0.0 traffic point the tunnel to isa which can act as gateway?

can you send me some docs on how can this be done.

appreciate you comments.

regs,

a

Re: no split tunnel-internet access via isa in dmz

Tunnel All - means you are encrypting all the traffic from the VPN client to the ASA.

Split-tunneling - which means you encrypt specific IP subnets

Tunnel all with local LAN access - which is the client can reach the local subnet (for local printing etc) anything else is encrypted.

You could set that up yes, do you have any existing remote VPN configuration? As it would be easier to modify existing tunnel policies?

Re: no split tunnel-internet access via isa in dmz

Community Member

Re: no split tunnel-internet access via isa in dmz

here you go..

my existing VPN configuration attached. pls let me know what needs to be added.

Re: no split tunnel-internet access via isa in dmz

Add the below:-

group-policy staffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

group-policy staffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

group-policy newstaffvpn attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

username adel attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

username waled attributes

msie-proxy method use-server

msie-proxy server value x.x.x.x

msie-proxy local-bypass disable

To which ever remote VPN group you want to test with. x.x.x.x is the IP address of the ISA server.

HTH.

Community Member

Re: no split tunnel-internet access via isa in dmz

great...

after aplying this will i have any issues accessing my servers applications brwoser based in my internal network

thanks,

Re: no split tunnel-internet access via isa in dmz

Only if you don't have the ACL in the interface with the ISA server to allow the traffic from the lower interface into the higher interface! and of course check your NAT rules out.....other than that, configure; test and troubleshoot if required!

HTH.

Community Member

Re: no split tunnel-internet access via isa in dmz

many thnx

Re: no split tunnel-internet access via isa in dmz

np - glad to help.

288
Views
0
Helpful
10
Replies
CreatePlease to create content