cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4310
Views
0
Helpful
19
Replies
Beginner

How to override split tunneling per user

Hi,

I've an ASA 5505, running at ASA 8.2(2). I'm using ASDM 6.2(5).
ASA is set up with Split Tunneling and it works perfectly.
However, for a few users, I want all traffic, including Internet traffic, routed through the ASA.
The spesific users IP address at internet should then be the same as ASA Outside address, not the client local address.
The question is therefore:
How to simple override the split tunneling at user level?
Alternatively set up an "tunnel all" group policy for the specified users?
Any adequate solution at all?

Thanks in advance,

Erik              

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

How to override split tunneling per user

Hallo Erik,

so i would say there missing somethine like :

access-list outside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.128  192.168.1.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound          <-- no nat for communication to inside

nat (outside) 1 192.168.50.0 255.255.255.128               <-- nat the first part of subnet to outside interface ip

Unfortunately i work with IOS 8.3, so there can be some misstakes in the commandline.

View solution in original post

Highlighted
Beginner

How to override split tunneling per user

Yeap it is possible.

you can bind an acl how deny traffic to your lan network.

something like:

access-list deny-to-inside permit udp 192.168.50.0 255.255.255.128 192.168.1.0 255.255.255.0 eq 53

access-list deny-to-inside deny ip any 192.168.1.0 255.255.255.0

access-list deny-to-inside permit ip any any

group-policy "RAVtunnel_1 Kopi" attributes

vpn-filter value deny-to-inside

Bye the way you should update your asdm and ios, if possible. Update versions are asa825-33-k8 and asdm 6.49.

View solution in original post

19 REPLIES 19
Highlighted
Cisco Employee

How to override split tunneling per user

Erik,

In IPsec VPN world - use seperate tunnel-groups.

In SSLVPN you can have DAP to apply different per user settings.

M.

Highlighted
Beginner

How to override split tunneling per user

Thanks for the feedback Marcin,

I'm in the IPsec world.

I do not have much knowledge about these settings (or FW/VPN/IP in general), but I have copied the current group policy  to a test policy and changed the "Split Tunneling": "Policy" -> "Tunnel all netwok" and "Network List" -> "None". I have assigned test user to the new VPN group policy.

Result: VPN connection still works, but test user can not get out on the internet.

Sorry for being helpless,

Erik

Highlighted
Cisco Employee

How to override split tunneling per user

Erik,

Ha I know how that feels. Rather than giving you the solution.

Give google a try "ASA VPN hairpin" or "ASA VPN on a stick" will give you good results.

TL; DR

1) Allow U-turn of traffic (same-security.... intra)

2) Apply NAT rule (for traffic from outside, going to outside) do PAT to interface of outside :-)

M.

Highlighted
Beginner

How to override split tunneling per user

Thanks again,

DRALBDNUA...DidReadALotButDidNotUnderstandAll..


Still struggling. Did find, and ticked, "Enable traffic between two or more hosts connected to the same interface."
But Dynamic NAT rules are more complicated. What's the source for inside interface? Whats Global pool?
I've attach a screenshot of what I think I'm missing. VPN pool is 192.168.50.0 - 192.168.50.99
Your help is much appreciated

Thanks,

Erik

Highlighted
Cisco Employee

How to override split tunneling per user

Erik,

In ASA's implmentation of NAT traffic is performed AFTER decapsulation or BEFORE encapulation.

In this case, your VPN clients are typically connected through your outside interface and also your internet is based on the same interface.

Thus you will need something like:

nat (outside) 100 192.168.50.0 255.255.255.0

global (outside) 100 interface

(this is not syntax checked)

M.

Highlighted

How to override split tunneling per user

Dear Erik,

At this point this is what I recommend:

1- Create the specific group-policies and define the specific parameters:

     group-policy all_traffic internal

     group-policy all_traffic attributes

          split-tunnel-policy tunnelall

     !

     group-policy some_traffic internal

     group-policy some_traffic attributes

          split-tunnel-policy tunnelspecified

2-    Assign the group-policy to each user:

     username full_access attributes

          vpn-group-policy all_traffic

     !

     username some_access attributes

          vpn-group-policy some_traffic

     !

* This is in case you are using the LOCAL DB, if you were to implement an external AAA server, then the server could send the Attribute 25 (RADIUS) or the memberOf attribute (LDAP) which specifies lets the FW know which group-policy assign to each specific session (user).

HTH.

Portu.

Please rate any helpful posts

Highlighted
Beginner

How to override split tunneling per user

Hi,

I completely agree in the two different group policy thinking.

I've created a new group policy, TunnelAll. It does not allow me to connect internet at all. It does not seem to allow the "U-turn" automaticly. Or in other words what I'm looking for: Allow some VPN user (those assigned to "TunnelAll) U-turn i ASA and connect internet with the ASA outside IP address.

I did try the tip from Marcin, with limited success:

Result of the command: "nat (outside) 100 192.168.50.0 255.255.255.0"

The command has been sent to the device

Result of the command: "global (outside) 100 interface"

global for this range already exists

Still stuck, I'm afraid

Thanks,

Erik

Highlighted

How to override split tunneling per user

Hi Erik,

Please add the "same-security-traffic permit intra-interface".

Let me know how it goes.

Portu.

Please rate any helpful posts

Highlighted
Beginner

How to override split tunneling per user

Hi,

Sorry, already done

Result of the command: "show running-config same-security-traffic"

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Status:

Both group policies, SplitTunnel and TunnelAll works regarding VPN.

SplitTunnel internet works, not through ASA. Perfect/OK.

TunnelAll internet does not work. Target is that this group can access internet addressed with ASA external IP (acting as users connected to the lan inside).

I'm not an expert, so the resolution can be at any level

Thanks,

Erik

Highlighted
Beginner

How to override split tunneling per user

Hi Erik,

how is the ipconfig from your vpn clients which use the option "tunnelall"? it is possible, that they use a fault DNS IP?

what show the logging, do you see incomming traffic or deny messages?

Highlighted
Beginner

How to override split tunneling per user

Hi,

ipconfig vpn tunnelall:
192.168.50.1 255.255.255.0
GW 0.0.0.0 (strange??)

ipconfig vpn splittunnel:
192.168.50.1 255.255.255.0
GW (blank)

Cannot see any ASA error/deny when try to access internet (running tunnelall).
DNS is same for both groups. External DNS (isp). We've a simple infra structure.

Regarding GW 0.0.0.0 if strange:

Cannot find how to set GW assigned to group policy. If possible to set, what should i be? like inside default GW (typical 192.168.1.1) or outside address? (I don't know where in ASA the U-turn is performed)

Thanks again,

Erik

Highlighted
Beginner

How to override split tunneling per user

Hi Erik,

the gateway setting is normal, you can't set a gateway IP with the policy or connection group.

So when you are connectet with your tunnelall client, can you reach a system in your inside network? And if yes, you use ip adress to connect or fqdn?

Can you poste your firewall config (NAT, ACL, Policy and Connection Group) ?

Highlighted
Beginner

How to override split tunneling per user

Hi,

When tunnelall I've full access to map NAS drive inside by IP/sharename. No existing domain/AD.

I'm not sure what You need, I hope all is to find below.

"RAVtunnel-1" is the "SplitTunnel"

"RAVtunnel-1 Kopi" is the "TunnelAll"

Thanks,

Erik

: Saved
:
ASA Version 8.2(2)
!

interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xx7.58 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz

!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2

!
boot system disk0:/asa822-k8.bin

dns server-group DefaultDNS


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service HTTP_RDP tcp
port-object eq 3389
port-object eq www
object-group service RDP_80_8080 tcp
port-object eq 3389
port-object eq 8080
port-object eq www
object-group service 9300 tcp
port-object eq 9300
object-group service 9510 tcp
port-object eq 9510
object-group service DM_INLINE_TCP_1 tcp
group-object 9300
group-object 9510
group-object RDP_80_8080
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.128
access-list RAVtunnel_splitTunnelAcl standard permit any
access-list split-tunnel-ACL standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any host xxx.xxx.xx7.60 object-group RDP_80_8080
access-list outside_access_in extended permit tcp any host xxx.xxx.xx7.61 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host xxx.xxx.xx7.62 eq www
pager lines 24
logging enable
logging buffer-size 10000
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool RemoteRAVPool 192.168.50.1-192.168.50.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 100 10.30.30.20-10.30.30.50 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xx7.61 192.168.1.61 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xx7.60 192.168.1.60 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xx7.62 192.168.1.62 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xx7.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
s


authentication pre-share


lifetime 86400
no crypto isakmp nat-traversal

dhcpd auto_config outside
!


!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RAVtunnel_1 internal
group-policy RAVtunnel_1 attributes
dns-server value xxx.xxx.0.100 xxx.xxx.0.200
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel-ACL
group-policy "RAVtunnel_1 Kopi" internal
group-policy "RAVtunnel_1 Kopi" attributes
dns-server value xxx.xxx.0.100 xxx.xxx.0.200
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall

vpn-group-policy RAVtunnel_1
tunnel-group RAVtunnel type remote-access
tunnel-group RAVtunnel general-attributes
address-pool RemoteRAVPool
default-group-policy RAVtunnel_1
tunnel-group RAVtunnel ipsec-attributes
pre-shared-key *****
tunnel-group-map default-group RAVtunnel
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map 

Highlighted

How to override split tunneling per user

EriK,

What if you try to ping 4.2.2.2, does it work?

Please try that and enable the following debug: "debug icmp trace".

We should see the translation to the outside IP.

Let me know.

Portu.