Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6908
Views
10
Helpful
12
Replies

Force one website through VPN allow others to use home internet

Go to solution
meditinst
Level 1
Level 1

‎04-03-2020 11:00 AM

Hello,

 

We have an ASA 5515, when our uses use the VPN they can access the local file servers just fine.  But when they browse the internet they use their home internet, from what I understand this is split tunneling.  Unfortunately, we have a website that uses our public IP to verify us and when users are at home it is using their home IP instead of the work IP.  Is there a way to force traffic to this one website to go through the VPN? 

 

Thanks,

Mike 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-03-2020 11:22 AM

Hi,

You would need to amend your split tunnel ACL to include the IP address of the website, in order to tunnel this traffic back to the main site. E.g:-

 

access-list SPLIT_TUNNEL standard permit 5.5.5.5

You would then need to NAT the outbound traffic for the Remote Access VPN users, e.g:-

 

object network RAVPN_USERS
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface

You need to also enable the command below, in order to permit the Remote Access VPN users traffic to be routed back out the outside interface.

 

same-security-traffic permit intra-interface

 

HTH

View solution in original post

12 Replies 12

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-03-2020 11:12 AM - edited ‎04-03-2020 11:13 AM

Are you using cisco any connect client to connect to VPN,  then below guide help to buil split tunnel :

 

https://community.cisco.com/t5/security-documents/anyconnect-split-tunneling-local-lan-access-split-tunneling/ta-p/4050866

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
meditinst
Level 1
Level 1
In response to balaji.bandi

‎04-03-2020 11:39 AM

Yes, we are using the any connect client, I will take a look at this article. Thank you. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎04-03-2020 11:22 AM

Hi,

You would need to amend your split tunnel ACL to include the IP address of the website, in order to tunnel this traffic back to the main site. E.g:-

 

access-list SPLIT_TUNNEL standard permit 5.5.5.5

You would then need to NAT the outbound traffic for the Remote Access VPN users, e.g:-

 

object network RAVPN_USERS
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface

You need to also enable the command below, in order to permit the Remote Access VPN users traffic to be routed back out the outside interface.

 

same-security-traffic permit intra-interface

 

HTH

Go to solution
meditinst
Level 1
Level 1
In response to Rob Ingram

‎04-03-2020 12:24 PM

So I now have this,

access-list acl-clientvpn extended permit ip object 3.223.182.53 any
access-list acl-clientvpn extended permit ip object 50.19.8.245 any

 

I've tried, any, outside and the ip range of the VPN users but now the website just doesn't load at all.

 

I am guessing that's because I am missing this part,

object network RAVPN_USERS
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface

So I need to create a NAT rule to allow my VPN users ip's to go out? 

I am also guessing this won't affect the current VPN users or should I wait until tonight to do this?

 

Thanks,

Mike 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to meditinst

‎04-03-2020 12:33 PM

Your nat rule will obviously have to reflect your correct VPN IP Pool network (s) AND you will need the command "same-security-traffic permit intra-interface" for the anyconnect users.

You should be able to make these changes now, they would only apply to traffic sourced from the RAVPN Pool network on the outside interface destined to the outside interface.

You should also check your other rules which might conflict.

If this still doesn't work post your configuration and the output of "show nat detail"
0 Helpful

Go to solution
qwerty321
Level 1
Level 1
In response to Rob Ingram

‎05-27-2020 03:25 AM

Thanks, that worked for me!
For anyone testing, you need to reconnect to the VPN after making changes.
0 Helpful

Go to solution
cjones615
Level 1
Level 1
In response to Rob Ingram

‎07-20-2020 06:00 AM

I did that piece and I got the website to work.  The problem is that when I did that, I broke access to our servers in Azure, which obviously sit outside our internal network.  Any help would be appreciated.  Thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to cjones615

‎07-20-2020 06:25 AM

Hi@cjones615 start a new post, provide your existing configuration and provide information of which command you configured which broke access to Azure.

0 Helpful

Go to solution
joselyngm
Level 1
Level 1
In response to Rob Ingram

‎07-13-2023 09:57 AM

Good afternoon,

I was checking the conversation. 

In my case, we are trying to use our VPN to connect to the website. But the website is located behind Cloudflare, and the Website's IP can change.

Is it something that we can implement to help us?

Thank you

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to joselyngm

‎07-13-2023 10:17 AM

@joselyngm my initial suggestion would be to add all the cloudflare IP addresses to the allow tunnel list - https://www.cloudflare.com/en-gb/ips/

Else run a full tunnel but with dynamic split tunnel for intensive applications such as Webex or MS Teams etc.

0 Helpful

Go to solution
joselyngm
Level 1
Level 1
In response to Rob Ingram

‎07-13-2023 02:31 PM

Thank you so much!! That worked.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card