Re: Internet access over VPN

theloftycloud · ‎10-06-2022

We have a remote access VPN setup on our ASA for vendors. Each vendor is setup using an ACL that allows them to connect to their server/appliance over 443 on our network and only that. Everything else is denied once they connect. To expand on this is there an entry we can add for one vendor to open up the VPN access to internet? The vendor is connecting correctly however he needs additional help(via a Webex) from a supplier while connected.

Below is what we currently have:

access-list VPN_Access_Vendor line 1 remark HTTPS access

access-list VPN_Access_Vendor line 2 extended permit tcp any host 10.10.10.10 eq 443

IP_Cartel · ‎10-06-2022

so you want to route non RFC 1918 networks within the tunnel? Normally I send traffic that does not exist in the internal network out their own ISP using split tunnel so it doesnt tax the business ISP service.

theloftycloud · ‎10-06-2022

I want remote VPN users to be able to use the internet while connected to our VPN.

IP_Cartel · ‎10-06-2022

who's internet service? the VPN side or the connecting side? If it's on the connecting side do a split tunnel. Ive always done it in the CLI but it can be enabled in ASDM. If the tunnel is connected you can default route out your core routing table.

For example the tunnel has let's say 172.16.46.0 /24 subnetwork. and the VPN ASA is 10.10.99.46.

From my core if I am not advertising via EIGRP I would create a static route.

172.16.46.0 255.255.255.0 10.10.99.46

otherwise when you split tunnel Cisco any connect will display 0.0.0.0/0 or something like that routing out the end users ISP and route lets say 10.0.0.0 /8 via (keyword interesting traffic) through the tunnel.

look at these pages:

https://www.petenetlive.com/KB/Article/0000943

https://www.petenetlive.com/KB/Article/0000069