Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1357
Views
0
Helpful
5
Replies

How do I allow IPSEC users to surf the internet without split tunneling?

philip.r.hayes
Level 1
Level 1

‎04-07-2011 11:09 AM - edited ‎02-21-2020 05:16 PM

I have an ASA5505 with 8.2 (3) running. The following is the routing table: (I have substuted 200.200.200.x for actual IPs)

Gateway of last resort is 200.200.200.1 to network 0.0.0.0                       
                                                                               
C    200.200.200.0 255.255.255.128 is directly connected, outside                
C    192.168.10.0 255.255.255.0 is directly connected, dmz                     
S    192.168.251.100 255.255.255.255 [1/0] via 200.200.200.1, outside            
C    10.8.0.0 255.255.0.0 is directly connected, inside-CrazyPeople             
S    10.0.0.0 255.0.0.0 [1/0] via 10.8.24.230, inside-CrazyPeople               
S*   0.0.0.0 0.0.0.0 [1/0] via 200.200.200.1, outside

Since 0.0.0.0 default route points to the outside, when connected in (IPSEC), all traffic is local. I cannot get to google and other websites. I know that split-tunneling would fix this but I would rather not turn that up.

Is there a way to do this?

Also, the intranet has a proxy server which is on 10.x.x.x. I have tried using proxy settings in browsers and that doesn't work either.

Any suggestions?

Labels:
0 Helpful
5 Replies 5

ahmurad
Cisco Employee
Cisco Employee

‎04-07-2011 01:23 PM

Hello,

Since you dont need to allow the split tunnel for the inside network (or the segments that you need to tunnel), then you need to do the following:

nat (outside) x pool

global (outside) x interface

On this scenario, you can PAT the traffic from the pool using the outside interface IP.

On this workaround, you need to keep in mind the following:

1. You need to allow the "same-security-traffic permit intra interface".

2. You need to check the order of NAT configuration, you can use the same NAT ID for the nat(outside) pool.

Ahmad.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎04-07-2011 09:02 PM

Philip

It is pretty obvious how to configure a default route for traffic from the ASA and it would appear that you have this in your configuration:

route outside 0.0.0.0 0.0.0.0 200.200.200.1 1

It is less obvious that you can also configure a default route for traffic that gets to the ASA via Remote Access VPN. I would suggest that you put this into your config and let us know if it helps:

route outside 0.0.0.0 0.0.0.0 200.200.200.1 tunneled

note: you probably also need this in your config:

same-security-traffic permit intra-interface

which will allow traffic that arrives on the outside interface to be routed back out the same interface.

Give it a try and let us know the results.

HTH

Rick

HTH

Rick
0 Helpful

ahmurad
Cisco Employee
Cisco Employee
In response to Richard Burts

‎04-07-2011 11:07 PM

Rick,

No need for the tunneled keyword here on the route, since the traffic will be routed normally using the default route on the routing table which point to outside already.

Yes, ofcoyurse, we need the "same-security-traffic" command, to allow the traffic "in and out" from the same interface.

Philip, try the suggested commands and let me know the results.

Ahmad.

0 Helpful

philip.r.hayes
Level 1
Level 1

‎04-07-2011 09:06 PM

Thanks guys! Some good ideas to try.

If anyone else has any thoughts on this, please share.

Sent from Cisco Technical Support iPhone App

0 Helpful

sean_evershed
Level 7
Level 7
In response to philip.r.hayes

‎04-07-2011 11:41 PM

See below a config example for Internet VPN on a stick:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

Please remember to rate all posts that are helpful.

0 Helpful
Customers Also Viewed These Support Documents