06-12-2008 12:41 AM - edited 03-11-2019 05:58 AM
Hi,
I have managed to get Cisco Client VPN's and a Site-to-Site office VPN (Cisco 877) onto my Cisco ASA and all working, until I issued the "no sysopt connection permit-vpn" command. This stops VPN traffic from being exempt from access-lists.
I want to control the VPN's by access list and have create all the correct rules for "outside_access_in" and they VPN's can connect to the servers on the ports needed. Now the only thing they can't access is the internet which they could before I issued that command.
If I add "permit tcp object-group VPN_Remote_Networks 0.0.0.0 0.0.0.0 object-group Http-Https" then they can access the Internet but it also means they can access any webservers on the inside. Can I create a rule that only applies to their outbound traffic to the internet?
Thanks
06-12-2008 01:48 AM
Hi
To allow VPN users to access Internet when they are in tunnel,you need to configure split tunneling.
Check for cisco site where you can get the configuration examples.
Regards,
Archana.
06-12-2008 02:20 AM
see this http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
i suggest you use the ASDM to modify your vpn group for split-tunneling.
Please rate is this helps.
06-12-2008 02:23 AM
Hi, we don't want to split the traffic all traffic needs to internet the ASA as we monitor the URL's.
06-12-2008 02:37 AM
whiteford ,
with the Split tunneling you can use ACL to control access to your corporate network across the tunnel by restricting what servers users can access based on TCP/UDP port for example. All other traffic such as instant messaging or casual browsing is sent out to the Internet via the local LAN of the VPN Client.
06-12-2008 02:42 AM
But what if I need the Internet traffic to be filtered by our Websense URL server which is at the HQ where the ASA is? It would mean their internet traffic is not monitored.
06-12-2008 02:55 AM
i am trying to understand your requirements. Not sure how the websense work but when the ASA send internet requests to the websense software, are you filtering based on user account in Active directory or IP address?
06-12-2008 02:26 AM
The Internet needs to come in on the same route as the rest of the traffic as the URL's are monitored by our internal websense url filtering server, we need to make sure this traffic is monitored. The only way I can see this working is if I leave that http/https rule to "any" then it all works, but means they can access internal sites they don't need to.
06-12-2008 03:18 AM
Hi Whiteford,
When you enable split tunneling,any vpn user if he wants to access Internet it will go via like the rest of other traffic.So as in your case the rest of traffic goes via the url filtering server then access the internet.So same like this the will happen when a VPN user access the Internet
Rate it this helps!!
Regards,
Archana.
06-12-2008 03:24 AM
whiteford
On your ASA, configure what to filter via the following commands:
*note* in this sample, all urls from any host and to any host will be filtered.
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
Any http traffic through the ASA from any devices on the inside inclduing vpn users will be send to your websense server for filtering
06-12-2008 04:19 AM
Do I still need to split the tunnel, if so how?
Sorry for my slow understanding, I just assumed that splitting the tunnel meant the remote sites internet didn't even come over the VPN to the ASA and out again.
Thanks
06-12-2008 04:21 AM
see this http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
like i said use the ASDM to make the change
on the split-tunnel config, both internal and unencrypted internet traffic will pass through the ASA
06-12-2008 05:05 AM
Will this work for my Site-to-Site VPN too? I see the example only for Cisco VPN clients?
Many thanks
06-12-2008 05:16 AM
The split-tunnel applies only to remote vpn users.
for the site-site vpn are you saying you want to filter web traffic also?
06-12-2008 05:27 AM
It will be filtered eventually but at the moment the only way to open give them the Internet is if I create a rule on the outside to inside for the site-to-sites IP ranges on http/https, but this also mean full web access to internal servers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide