Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1587
Views
0
Helpful
2
Replies

Alternative to Split-Tunneling using VPN Anyconnect SSL

Go to solution
gp1200x
Level 2
Level 2

‎04-23-2017 09:51 AM - edited ‎02-21-2020 09:15 PM

I am setting up Anyconnect (3.1.14018) )Premium SSL licenses for  users with Win10, Win7  with code 9.1.7.16 on 5510s and 5520s

I know I will be asked to allow split-tunneling for some users as always. I can do this but I don't trust a lot of them to manage their PCs properly. So I was thinking of tunneling everything to the corporate network and then have our main Checkpoint firewall control these users access to the Internet just like all our internal users.  

Here is the issue....all my VPN ASAs (remote VPN users and branch to branch) use OSPF to learn all the internal subnets but have their own default gateways to the Internet which has a higher priority than that supplied by the corporate network. In the past I have used a single small subnet to connect to the ASA with IP pools internally provided by the ASA which then route over this subnet. This posses an issue if I want these IP pools to use the core internal router to route them to the Internet since they would naturally hit the routing table in the VPN ASA and it would try to push then back out its own outside interface to reach the Internet.

So what are some the solutions to this issue?  I can use any method of providing IPs to the VPN clients and do not have to use IP pools provided by the ASA.  So far the only real solution I can think of is to place the inside ASA on a trunk interface and then use this same trunk to provide a vlan for the VPN users with the core as their default router. The ASA is directly attached to our core 6509s.

Any other solutions available ....like one that does not involve using a trunked interface?    We have proxy services on the Checkpoint firewall but I don't know if I really what to go that route even though it would probably simplify everything.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎04-23-2017 07:02 PM

You can use the tunnel-default-gateway to route all traffic from your VPN to your core router/switch. This will override the ASA default gateway for VPN users alone. Once at the core device, you can route it to your Checkpoint firewall via your primary internet gateway.

More info about this here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎04-23-2017 07:02 PM

You can use the tunnel-default-gateway to route all traffic from your VPN to your core router/switch. This will override the ASA default gateway for VPN users alone. Once at the core device, you can route it to your Checkpoint firewall via your primary internet gateway.

More info about this here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html

0 Helpful

Go to solution
gp1200x
Level 2
Level 2
In response to Rahul Govindan

‎04-24-2017 06:00 AM

It worked! Thanks,

0 Helpful
Customers Also Viewed These Support Documents