04-03-2020 11:00 AM
Hello,
We have an ASA 5515, when our uses use the VPN they can access the local file servers just fine. But when they browse the internet they use their home internet, from what I understand this is split tunneling. Unfortunately, we have a website that uses our public IP to verify us and when users are at home it is using their home IP instead of the work IP. Is there a way to force traffic to this one website to go through the VPN?
Thanks,
Mike
Solved! Go to Solution.
04-03-2020 11:22 AM
Hi,
You would need to amend your split tunnel ACL to include the IP address of the website, in order to tunnel this traffic back to the main site. E.g:-
access-list SPLIT_TUNNEL standard permit 5.5.5.5
You would then need to NAT the outbound traffic for the Remote Access VPN users, e.g:-
object network RAVPN_USERS
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface
You need to also enable the command below, in order to permit the Remote Access VPN users traffic to be routed back out the outside interface.
same-security-traffic permit intra-interface
HTH
04-03-2020 11:12 AM - edited 04-03-2020 11:13 AM
Are you using cisco any connect client to connect to VPN, then below guide help to buil split tunnel :
04-03-2020 11:39 AM
Yes, we are using the any connect client, I will take a look at this article. Thank you.
04-03-2020 11:22 AM
Hi,
You would need to amend your split tunnel ACL to include the IP address of the website, in order to tunnel this traffic back to the main site. E.g:-
access-list SPLIT_TUNNEL standard permit 5.5.5.5
You would then need to NAT the outbound traffic for the Remote Access VPN users, e.g:-
object network RAVPN_USERS
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface
You need to also enable the command below, in order to permit the Remote Access VPN users traffic to be routed back out the outside interface.
same-security-traffic permit intra-interface
HTH
04-03-2020 12:24 PM
So I now have this,
access-list acl-clientvpn extended permit ip object 3.223.182.53 any
access-list acl-clientvpn extended permit ip object 50.19.8.245 any
I've tried, any, outside and the ip range of the VPN users but now the website just doesn't load at all.
I am guessing that's because I am missing this part,
object network RAVPN_USERS
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface
So I need to create a NAT rule to allow my VPN users ip's to go out?
I am also guessing this won't affect the current VPN users or should I wait until tonight to do this?
Thanks,
Mike
04-03-2020 12:33 PM
05-27-2020 03:25 AM
07-20-2020 06:00 AM
I did that piece and I got the website to work. The problem is that when I did that, I broke access to our servers in Azure, which obviously sit outside our internal network. Any help would be appreciated. Thanks
07-20-2020 06:25 AM
Hi@cjones615 start a new post, provide your existing configuration and provide information of which command you configured which broke access to Azure.
07-20-2020 07:57 AM
07-13-2023 09:57 AM
Good afternoon,
I was checking the conversation.
In my case, we are trying to use our VPN to connect to the website. But the website is located behind Cloudflare, and the Website's IP can change.
Is it something that we can implement to help us?
Thank you
07-13-2023 10:17 AM
@joselyngm my initial suggestion would be to add all the cloudflare IP addresses to the allow tunnel list - https://www.cloudflare.com/en-gb/ips/
Else run a full tunnel but with dynamic split tunnel for intensive applications such as Webex or MS Teams etc.
07-13-2023 02:31 PM
Thank you so much!! That worked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide