Disable split tunneling to navigate through remote gateway

67P6FER67 · ‎12-20-2012

Hi everyone,

I run a cisco asa 5510 and I want to know how to configure the asa to let some of AAA users navigate through the remote gateway (with remote public ip).

I've already configure ipsec, ssl group policy, and I know I can disable split tunneling. I do it but remote users (connected with ipsec vpn cisco client) could access remote LAN but when they try to navigate through internet, there's no ip connection.

Do I have to configure some NAT ? I've already configure some rules to let the vpn ip pool go to the internet.

I just want my remote users to navigate on internet through the vpn tunnel and the remote gateway (the asa).

Can someone explain me how to do that ? Do I have to setup some proxy ?

Thank you !

Fabio Jorge · ‎12-29-2012

Hello 67P7,

There are an option that permite VPN clients get internet Sites over IPsec Tunnel. I have no visibility about your ASA so i gonna send some option, please try it and let me know.

Ps: You need to disable split tunneling and use split-tunnel-policy tunnelall

Example:

Inside Network: 192.168.1.0/24

VPN Pool: 192.168.2.0/24

IP outside ASA: 200.200.200.200

IP outside NAT ASA: 200.200.200.201 "if used"

First:

Create a NAT condition:

==> Nat to Internet <===

nat (inside) 1 192.168.2.0 255.255.255.0

global(outside) 1 interface "if you are using Outside IP address to NAT"

or

global(outside) 1 200.200.200.201 netmask 255.255.255.255 "if you are using especific IP address to NAT"

===> No Nat <===

access-list VPN_NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

!

nat (inside) 0 access-list VPN_NONAT

!

===> IPSEC and Hairpining use <===

same-security-traffic permit intra-interface

Let me know about it.

Good luck.

Fabio Jorge Amorim