topic Re: Force one website through VPN allow others to use home internet in Network Security

Force one website through VPN allow others to use home internet

meditinst — Fri, 03 Apr 2020 18:00:58 GMT

Hello,

We have an ASA 5515, when our uses use the VPN they can access the local file servers just fine. But when they browse the internet they use their home internet, from what I understand this is split tunneling. Unfortunately, we have a website that uses our public IP to verify us and when users are at home it is using their home IP instead of the work IP. Is there a way to force traffic to this one website to go through the VPN?

Thanks,

Mike

Re: Force one website through VPN allow others to use home internet

balaji.bandi — Fri, 03 Apr 2020 18:13:08 GMT

Are you using cisco any connect client to connect to VPN, then below guide help to buil split tunnel :

https://community.cisco.com/t5/security-documents/anyconnect-split-tunneling-local-lan-access-split-tunneling/ta-p/4050866

Re: Force one website through VPN allow others to use home internet

Rob Ingram — Fri, 03 Apr 2020 18:22:06 GMT

Hi,

You would need to amend your split tunnel ACL to include the IP address of the website, in order to tunnel this traffic back to the main site. E.g:-

access-list SPLIT_TUNNEL standard permit 5.5.5.5

You would then need to NAT the outbound traffic for the Remote Access VPN users, e.g:-

object network RAVPN_USERS
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface

You need to also enable the command below, in order to permit the Remote Access VPN users traffic to be routed back out the outside interface.

same-security-traffic permit intra-interface

HTH

Re: Force one website through VPN allow others to use home internet

meditinst — Fri, 03 Apr 2020 18:39:47 GMT

Yes, we are using the any connect client, I will take a look at this article. Thank you.

Re: Force one website through VPN allow others to use home internet

meditinst — Fri, 03 Apr 2020 19:24:20 GMT

So I now have this,

access-list acl-clientvpn extended permit ip object 3.223.182.53 any
access-list acl-clientvpn extended permit ip object 50.19.8.245 any

I've tried, any, outside and the ip range of the VPN users but now the website just doesn't load at all.

I am guessing that's because I am missing this part,

object network RAVPN_USERS
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface

So I need to create a NAT rule to allow my VPN users ip's to go out?

I am also guessing this won't affect the current VPN users or should I wait until tonight to do this?

Thanks,

Mike

Re: Force one website through VPN allow others to use home internet

Rob Ingram — Fri, 03 Apr 2020 19:33:05 GMT

Your nat rule will obviously have to reflect your correct VPN IP Pool network (s) AND you will need the command "same-security-traffic permit intra-interface" for the anyconnect users.

You should be able to make these changes now, they would only apply to traffic sourced from the RAVPN Pool network on the outside interface destined to the outside interface.

You should also check your other rules which might conflict.

If this still doesn't work post your configuration and the output of "show nat detail"

Re: Force one website through VPN allow others to use home internet

qwerty321 — Wed, 27 May 2020 10:25:03 GMT

Thanks, that worked for me!
For anyone testing, you need to reconnect to the VPN after making changes.

Re: Force one website through VPN allow others to use home internet

cjones615 — Mon, 20 Jul 2020 13:00:01 GMT

I did that piece and I got the website to work. The problem is that when I did that, I broke access to our servers in Azure, which obviously sit outside our internal network. Any help would be appreciated. Thanks

Re: Force one website through VPN allow others to use home internet

Rob Ingram — Mon, 20 Jul 2020 13:25:57 GMT

Hi@cjones615 start a new post, provide your existing configuration and provide information of which command you configured which broke access to Azure.

Re: Force one website through VPN allow others to use home internet

cjones615 — Mon, 20 Jul 2020 14:57:23 GMT

done

https://community.cisco.com/t5/network-security/issues-with-vpn-configuration/m-p/4121891#M1072140

Re: Force one website through VPN allow others to use home internet

joselyngm — Thu, 13 Jul 2023 16:57:54 GMT

Good afternoon,

I was checking the conversation.

In my case, we are trying to use our VPN to connect to the website. But the website is located behind Cloudflare, and the Website's IP can change.

Is it something that we can implement to help us?

Thank you

Re: Force one website through VPN allow others to use home internet

Rob Ingram — Thu, 13 Jul 2023 17:17:16 GMT

@joselyngm my initial suggestion would be to add all the cloudflare IP addresses to the allow tunnel list - https://www.cloudflare.com/en-gb/ips/

Else run a full tunnel but with dynamic split tunnel for intensive applications such as Webex or MS Teams etc.

Re: Force one website through VPN allow others to use home internet

joselyngm — Thu, 13 Jul 2023 21:31:19 GMT

Thank you so much!! That worked.