Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

VPN - Force Internet Traffic through Outside Interface

I have a remote access VPN for clients coming in through an ASA 5510. Everything was working fine and Internet traffic was all good as it went out through a 3rd party proxy which clients picked up through a WPAD file.

We have now amended the way LAN clients browse the Internet. They basically go out our ASA outside interface using SCANSAFE now. This works fine for everyone except VPN clients. I'm guessing this is due to them coming in via the Outside Interface for the VPN, and then routing out again for Internet traffic. Is there anything special I need to do or is this actually a common setup?

Thanks

7 REPLIES
VIP Purple

VPN - Force Internet Traffic through Outside Interface

I would address that problem a little bit different. Instead of sending the surf-traffic to the ASA and then back to the internet, I would install the Websecurity module inside the AnyConnect client and let the clients go directly to their Scan-Towers.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Bronze

VPN - Force Internet Traffic through Outside Interface

Hi Karsten,

At the moment clients are still using the Cisco VPN client for access so I probably couldn't do this. We are testing anyconnect at the moment for a select few but it's still new territory for us.

VIP Purple

Re: VPN - Force Internet Traffic through Outside Interface

ok, I never used it in a setup like that, but is your policy-map "seeing" that traffic?

show service policy inspect scansafe

If the policy is attached to the inside interface I would change it to the global policy.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Bronze

Re: VPN - Force Internet Traffic through Outside Interface

Hi Karsten,

Does the web security module require it's own license, or does the fact I have scansafe license already mean I can use this? When trying to save my profile it's saying I have no websecurity profile license.

Thanks

VIP Purple

Re: VPN - Force Internet Traffic through Outside Interface

You stll need a license for the amount of users you have. To enable the Websecurity-moodule in AnyConnect you have to configure a profile with proper license in the Scansafe config, export then profile and copy the encrypted profile (which is a WSO-file) to the client machine.

More details are in the AnyConnect Administration Guide:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac06websecurity.html

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Bronze

Re: VPN - Force Internet Traffic through Outside Interface

Hi Karsten,

Thanks trying to slowly go through document...

How does the profile etc... get pushed down to a Laptop using anyconnect? Do they need to browse to the address of the ASA and use webvpn, or can the anyconnect client be pushed down with all the settings intact? E.G with the Cisco VPb client, it was just a PCF file, but not sure on the equivalent for the Anyconnect client. I basically want the users to have as little to do as possible, e.g just connect and it works.

Thanks

VIP Purple

Re: VPN - Force Internet Traffic through Outside Interface

The AnyConnect-Client needs Admin-rights for the initial installation. So you probably have to install it with a software-distribution system of your choice (like Netinstall) or by hand for all your users. While installing you can automatically put all the needed profiles in place. Thats also described in the AnyConnect Admin Guide.

After the client is installed, everything works without any config from the user-side. For VPN they just click on connect (or you configure AlwaysOn VPN) and for Websecurity the user doesn't have to do anything at all.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
252
Views
0
Helpful
7
Replies
CreatePlease login to create content