11-06-2012 07:02 AM
I've an ASA 5505, running at ASA 8.2(2). I'm using ASDM 6.2(5).
ASA is set up with Split Tunneling and it works perfectly.
However, for a few users, I want all traffic, including Internet traffic, routed through the ASA.
The spesific users IP address at internet should then be the same as ASA Outside address, not the client local address.
The question is therefore:
How to simple override the split tunneling at user level?
Alternatively set up an "tunnel all" group policy for the specified users?
Any adequate solution at all?
Thanks in advance,
Solved! Go to Solution.
11-12-2012 12:11 AM
so i would say there missing somethine like :
access-list outside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.128 192.168.1.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound <-- no nat for communication to inside
nat (outside) 1 192.168.50.0 255.255.255.128 <-- nat the first part of subnet to outside interface ip
Unfortunately i work with IOS 8.3, so there can be some misstakes in the commandline.
11-12-2012 02:38 AM
Yeap it is possible.
you can bind an acl how deny traffic to your lan network.
access-list deny-to-inside permit udp 192.168.50.0 255.255.255.128 192.168.1.0 255.255.255.0 eq 53
access-list deny-to-inside deny ip any 192.168.1.0 255.255.255.0
access-list deny-to-inside permit ip any any
group-policy "RAVtunnel_1 Kopi" attributes
vpn-filter value deny-to-inside
Bye the way you should update your asdm and ios, if possible. Update versions are asa825-33-k8 and asdm 6.49.
11-06-2012 07:58 AM
In IPsec VPN world - use seperate tunnel-groups.
In SSLVPN you can have DAP to apply different per user settings.
11-06-2012 10:29 AM
Thanks for the feedback Marcin,
I'm in the IPsec world.
I do not have much knowledge about these settings (or FW/VPN/IP in general), but I have copied the current group policy to a test policy and changed the "Split Tunneling": "Policy" -> "Tunnel all netwok" and "Network List" -> "None". I have assigned test user to the new VPN group policy.
Result: VPN connection still works, but test user can not get out on the internet.
Sorry for being helpless,
11-06-2012 11:58 AM
Ha I know how that feels. Rather than giving you the solution.
Give google a try "ASA VPN hairpin" or "ASA VPN on a stick" will give you good results.
1) Allow U-turn of traffic (same-security.... intra)
2) Apply NAT rule (for traffic from outside, going to outside) do PAT to interface of outside :-)
11-08-2012 03:49 AM
Still struggling. Did find, and ticked, "Enable traffic between two or more hosts connected to the same interface."
But Dynamic NAT rules are more complicated. What's the source for inside interface? Whats Global pool?
I've attach a screenshot of what I think I'm missing. VPN pool is 192.168.50.0 - 192.168.50.99
Your help is much appreciated
11-08-2012 03:58 AM
In ASA's implmentation of NAT traffic is performed AFTER decapsulation or BEFORE encapulation.
In this case, your VPN clients are typically connected through your outside interface and also your internet is based on the same interface.
Thus you will need something like:
nat (outside) 100 192.168.50.0 255.255.255.0
global (outside) 100 interface
(this is not syntax checked)
11-08-2012 06:17 AM
At this point this is what I recommend:
1- Create the specific group-policies and define the specific parameters:
group-policy all_traffic internal
group-policy all_traffic attributes
group-policy some_traffic internal
group-policy some_traffic attributes
2- Assign the group-policy to each user:
username full_access attributes
username some_access attributes
* This is in case you are using the LOCAL DB, if you were to implement an external AAA server, then the server could send the Attribute 25 (RADIUS) or the memberOf attribute (LDAP) which specifies lets the FW know which group-policy assign to each specific session (user).
Please rate any helpful posts
11-08-2012 06:50 AM
I completely agree in the two different group policy thinking.
I've created a new group policy, TunnelAll. It does not allow me to connect internet at all. It does not seem to allow the "U-turn" automaticly. Or in other words what I'm looking for: Allow some VPN user (those assigned to "TunnelAll) U-turn i ASA and connect internet with the ASA outside IP address.
I did try the tip from Marcin, with limited success:
Result of the command: "nat (outside) 100 192.168.50.0 255.255.255.0"
The command has been sent to the device
Result of the command: "global (outside) 100 interface"
global for this range already exists
Still stuck, I'm afraid
11-08-2012 06:58 AM
Please add the "same-security-traffic permit intra-interface".
Let me know how it goes.
Please rate any helpful posts
11-09-2012 12:39 AM
Sorry, already done
Result of the command: "show running-config same-security-traffic"
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Both group policies, SplitTunnel and TunnelAll works regarding VPN.
SplitTunnel internet works, not through ASA. Perfect/OK.
TunnelAll internet does not work. Target is that this group can access internet addressed with ASA external IP (acting as users connected to the lan inside).
I'm not an expert, so the resolution can be at any level
11-09-2012 01:52 AM
how is the ipconfig from your vpn clients which use the option "tunnelall"? it is possible, that they use a fault DNS IP?
what show the logging, do you see incomming traffic or deny messages?
11-09-2012 03:47 AM
ipconfig vpn tunnelall:
GW 0.0.0.0 (strange??)
ipconfig vpn splittunnel:
Cannot see any ASA error/deny when try to access internet (running tunnelall).
DNS is same for both groups. External DNS (isp). We've a simple infra structure.
Regarding GW 0.0.0.0 if strange:
Cannot find how to set GW assigned to group policy. If possible to set, what should i be? like inside default GW (typical 192.168.1.1) or outside address? (I don't know where in ASA the U-turn is performed)