ASA 7.2 SSL VPN Internet Access no SPLIT TUNNEL

Jesse Shumaker · ‎04-01-2011

I have one client that I am using for SSL vpn access to the network behind the ASA. I can get this all to work just fine and have access to DNS resolution behind within the ASA's internal LAN but I'm not able to access the Internet through this ASA. I don't want to do split tunneling. I want all traffic sent and handled on the ASA. I'm giving out DHCP to this SSL VPN client from the server inside the ASA's network so the SSL client is on the same network subnet as the remote LAN.

Please advise on what I should do to give Internet access to this remote VPN SSL client. I'm guessing it' s a NAT issue but I'm not sure. here's how it looks.

SSL CLIENT 192.168.0.60/24 ----------- asa -------192.168.0.0/24 inside network

mvegaval · ‎04-01-2011

Hello Jesse,

“I'm giving out DHCP to this SSL VPN client from the server inside the ASA's network so the SSL client is on the same network subnet as the remote LAN.”

Recommendation:

In order to avoid an overlap of IP addresses in the network, assign a completely different pool of IP addresses to the VPN Client (For example, 192.168.10.x).

This requires some routing changes within your network.

About your specific request, If your goal is to handle the Internet traffic through the ASA you might want to configure VPN on a Stick, and you achieve it configuring Hairpining .

E.g

The hairpining feature is useful for VPN traffic that enters an interface but is then routed out of that same interface.

1. same-security-traffic

Use the same-security-traffic command in order to allow traffic to enter and exit the same interface.

securityappliance(config)#same-security-traffic permit intra-interface

2. NAT

The goal is that the traffic coming from the SSL Clients (192.168.10.0) can be translated with an outside IP address (in case you have one available) or the interface itself.

ciscoasa(config)#global (outside) 1 interface

!—Use the interface as the translated IP.

ciscoasa(config)#nat (inside) 1 0.0.0.0 0.0.0.0

!—This translates the inside network to the interface IP.

ciscoasa(config)#nat (outside) 1 192.168.10.0 255.255.255.0

!—This translates the pool network to the interface IP.

The rest is working fine as you described before.

Regards,

Marco Vega

Jesse Shumaker · ‎04-01-2011

ok I got this to work thank you very much using this article and your help.

http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008096fcf5.shtml

How can I get access to the LAN inside the ASA? right now all traffic hits the asa and heads to the internet. I know this is some kind of access-list nat statement and I tried the following with the logic of not nating anything that hits the asa from the 192.168.100.0/24 subnet and is headed to the 192.168.0.0/24 subnet. this didn't work and i get destination host unreacheable.

access-list nonatsslclient extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonatsslclient extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (outside) 0 access-list nonatsslclient

thanks

Jesse Shumaker · ‎04-04-2011

can anyone help me with this:

How can I get access to the LAN inside the ASA? right now all traffic hits the asa and heads to the internet. I know this is some kind of access-list nat statement and I tried the following with the logic of not nating anything that hits the asa from the 192.168.100.0/24 subnet and is headed to the 192.168.0.0/24 subnet. this didn't work and i get destination host unreacheable.

access-list nonatsslclient extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonatsslclient extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (outside) 0 access-list nonatsslclient

Jennifer Halim · ‎04-04-2011

Base on your original topology diagram:

SSL CLIENT 192.168.0.60/24 ----------- asa -------192.168.0.0/24 inside network

the SSL Client assigned address is in the same subnet as the ASA internal/inside network.

Firstly, you would need to change the SSL Client assigned address to be in a completely unique subnet, let's say 192.168.5.0/24

Then you will need to configure NONAT as per your latest post:

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list nonat

Then "clear xlate", and you should be able to access your internal network.

Please also check if your internal hosts have any personal firewall, etc that might block inbound connection from different subnet. Also default gateway is pointing towards the ASA inside interface.

Jesse Shumaker · ‎04-04-2011

I applied everything from Marco Vegas's post with the ip changes and have it working. I applied all the commands in my last post to get access to the LAN inside the ASA and have issues with the destination network missing errors. This is where I need assistance from. Getting all traffic from the remote VPN client to talk to the remote network behind the ASA. Please help with this.

thanks

Jennifer Halim · ‎04-05-2011

Can you please share the existing ASA config, and which remote subnet you are trying to access from the SSL VPN?

That would help with configuring the correct and exact subnet in the config.