Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN clients unable to access internet

Hi folks,

I have an ASA 5510 running 8.2(2)17 code which is terminating remote access vpns.   the vpn users connect using cisco vpn client (version 5.0.06.0160)

The ASA is also using a websense device for url filtering.

Local users can access the internet, and are having their traffic filtered correctly by Websense, but VPN users cannot access the internet (the vpn negotiates correctly, and they can access internal networks).

From running packet captures, it looks like traffic from the vpn clients is leaving the asa, but I'm not seeing corresponding return traffic.

There are two things that strike me as odd/bad:

1 - when I connect to the vpn, the default gateway that i am assigned is the first address in the vpn dhcp pool (ie the vpn pool is 1.1.1.1 to 1.1.1.250/24 ... I am assigned the address 1.1.1.10, and my default gateway is 1.1.1.1).    I have not configured this default gateway anywhere on the ASA.

2 - my pc's routing table shows two default gateways.   the first goes via my wireless network, and has a metric of 25

the second is via the vpn gateway mentioned above (1.1.1.1) and has a metric of 26, which should be less preferable)   I would have thought that the vpn gateway should be the preferred route.   the routing table also shows no routes to internal networks (even though they are accessible over the vpn)

Any help or suggestions would be greatly appreciated.

Thanks,

Darragh

5 REPLIES
Super Bronze

Re: VPN clients unable to access internet

A few questions to ask:

1) How do you direct the VPN users to use Websense for URL filtering? through proxy settings?

2) Is the VPN configured with split tunneling or no split tunneling?

The two things that you thought is bad is actually normal. The traffic before it gets encrypted will be routed towards the VPN tunnel, hence you are seeing the default gateway that you didn't configure. That is normal as traffic will be encrypted via the vpn client and gets sent to the ASA.

New Member

Re: VPN clients unable to access internet

Hi Jennifer,

I haven't set up anything to explicitly point vpn users to websense (I've just configured a catch all filter list 'filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ')

I don't have split tunneling enabled.

Thanks,

Darragh

Super Bronze

Re: VPN clients unable to access internet

If you use the "filter url" command to redirect traffic towards websense server, that only works for outbound traffic, ie: from internal network towards the internet. For VPN client, traffic is coming inbound towards the ASA outside interface, hence that will not be redirected towards the websense server.

New Member

Re: VPN clients unable to access internet

Thanks again Jennifer.   Is there a way I can force the VPN users traffic to use the websense server?

Super Bronze

Re: VPN clients unable to access internet

No, unfortunately not for vpn users. Unless if you configure proxy settings on the browser to use websense however websense needs to support this as well.

894
Views
0
Helpful
5
Replies