cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4706
Views
0
Helpful
8
Replies

Separate VPN traffic and internet access

kathy-kat
Level 1
Level 1

Hello Everyone!!

I have a VPN Client that connect with the Office, the vpn works fine. Right Now all the traffic including internet´s access goes through the tunnel. I would like to separate this, I know that i can use a split tunnel, but does not work for me.

Here is the config:

group-policy Remote internal
group-policy Remote attributes
wins-server value 192.168.0.11
dns-server value 192.168.0.13
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Accesso_Restringido
default-domain value xxxx.xxx

access-list Accesso_Restringido extended deny ip object-group VPN-Remote any

Any idea??

Regards

KC

1 Accepted Solution

Accepted Solutions

You need bypass the NAT for traffic between vpn client to DMZ network

1. remove the following

no access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.10.1.0 255.255.255.0

2. add the following

access-list dmz_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.10.1.0 255.255.255.0

nat (DMZ) 0 access-list dmz_nat0_outbound

View solution in original post

8 Replies 8

Yudong Wu
Level 7
Level 7

You should use

split-tunnel-policy tunnelspecified

split-tunnel-network-list value

where ACL should looks like

access-list permit ip any

So all traffic to your from client will be sent via VPN tunnel.

Thanks Yudog!!

I made some changes on the split_tunnel and works!!! Here the config:

split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-List

access-list Split-Tunnel-List standard permit 192.168.0.0 255.255.0.0
access-list Split-Tunnel-List standard permit 172.17.0.0 255.255.0.0
access-list Split-Tunnel-List standard permit 10.1.0.0 255.255.0

where the network 192.168.0.0 255.255.0.0 is the DMZ, but the user´s  VPN can not access to DMZ. I thoungh that could be some ACL. So I put somes acl that permit the traffic from DMZ to VPN and vice versa. But nothing!!

Any advice??

KC

could you post your configuration here?

It could be a NAT issue as well.

You have totally right,

When I did ping to VPN´s network to DMZ´s Network appears the following message

Error Message    %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse 
flows; Connection protocol src interface_name:source_address/source_port dst
interface_name:dst_address/dst_port denied due to NAT reverse path failure.

Explanation   An attempt to connect to a mapped host using its actual address was rejected.

Recommended Action   When not on the same interface as the host using NAT, use the mapped address  instead of the actual address to connect to the host. In addition, enable the inspect command if the  application embeds the IP address.

But i have some acl that make the nat0

That are the following:

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.10.1.0 255.255.255.

Where the DMZ´s network is 192.168 and VPN´s network is 10.10.1

Any idea??

Best Regards,

can you provide the configuration? or at least all NAT related configuration.

Thanks Yudong, here you go:

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.0.0 255.255.0.0
nat (inside) 1 172.17.0.0 255.255.0.0

static (inside,outside) tcp 200.24.243.21 www 172.17.0.15 www netmask 255.255.255.255
static (inside,outside) 200.32.188.115 172.17.0.16 netmask 255.255.255.255
static (inside,outside) 200.32.188.116 172.17.0.14 netmask 255.255.255.255
static (inside,outside) 200.32.188.117 172.17.0.12 netmask 255.255.255.255
static (inside,outside) 200.24.243.18 172.17.0.13 netmask 255.255.255.255
static (inside,outside) 200.24.243.17 172.17.0.11 netmask 255.255.255.255
static (DMZ,outside) 200.24.243.19 192.168.0.3 netmask 255.255.255.255
static (DMZ,outside) 200.24.243.20 192.168.0.4 netmask 255.255.255.255

access-list inside_nat0_outbound extended permit ip 172.17.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.17.0.0 255.255.0.0 10.10.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.10.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.10.1.0 255.255.255.0

where:

172.17.0.0/16 and 10.1.0.0/16 are the inside network
192.168.0.0/16 is the DMZ´s network
10.10.1.0/24 is VPN´s network.

And here is where the packet is drop:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (DMZ,outside) 200.11.201.20 Servidor-Web netmask 255.255.255.255
  match ip DMZ host Servidor-Web outside any
    static translation to 200.11.201.20
    translate_hits = 88, untranslate_hits = 112089
Additional Information

Thanks and Regards,

KC

You need bypass the NAT for traffic between vpn client to DMZ network

1. remove the following

no access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.10.1.0 255.255.255.0

2. add the following

access-list dmz_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.10.1.0 255.255.255.0

nat (DMZ) 0 access-list dmz_nat0_outbound

Thanks Yudong!!!!!

That works!!!

Regards,

KC

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: