I have an ASA 5510 running 8.2(2)17 code which is terminating remote access vpns. the vpn users connect using cisco vpn client (version 5.0.06.0160)
The ASA is also using a websense device for url filtering.
Local users can access the internet, and are having their traffic filtered correctly by Websense, but VPN users cannot access the internet (the vpn negotiates correctly, and they can access internal networks).
From running packet captures, it looks like traffic from the vpn clients is leaving the asa, but I'm not seeing corresponding return traffic.
There are two things that strike me as odd/bad:
1 - when I connect to the vpn, the default gateway that i am assigned is the first address in the vpn dhcp pool (ie the vpn pool is 220.127.116.11 to 18.104.22.168/24 ... I am assigned the address 22.214.171.124, and my default gateway is 126.96.36.199). I have not configured this default gateway anywhere on the ASA.
2 - my pc's routing table shows two default gateways. the first goes via my wireless network, and has a metric of 25
the second is via the vpn gateway mentioned above (188.8.131.52) and has a metric of 26, which should be less preferable) I would have thought that the vpn gateway should be the preferred route. the routing table also shows no routes to internal networks (even though they are accessible over the vpn)
Any help or suggestions would be greatly appreciated.
1) How do you direct the VPN users to use Websense for URL filtering? through proxy settings?
2) Is the VPN configured with split tunneling or no split tunneling?
The two things that you thought is bad is actually normal. The traffic before it gets encrypted will be routed towards the VPN tunnel, hence you are seeing the default gateway that you didn't configure. That is normal as traffic will be encrypted via the vpn client and gets sent to the ASA.
If you use the "filter url" command to redirect traffic towards websense server, that only works for outbound traffic, ie: from internal network towards the internet. For VPN client, traffic is coming inbound towards the ASA outside interface, hence that will not be redirected towards the websense server.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...