Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
961
Views
5
Helpful
4
Replies

INTERNET ACCESS OVER REMOTE VPN

Go to solution
veltech
Level 1
Level 1

‎09-13-2012 12:13 PM

We have a customer who wants to route all internet traffic from their remote sites over their head office internet connection. Put another way when their users connect to head office using Cisco VPN client on their PC, we need to route all internet traffic out through the head office firewall. Head Office is running an ASA where all VPN configuration is held. We have a number of VPNs set up for this customer but would welcome suggestions as to the best way to configure this particular step.

Many thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9

‎09-13-2012 12:38 PM

Hi,

It sounds like U-turning or Hairpining  for VPN clients, so they could access the Internet across the tunnel.

In case this is for an ASA 8.2 or earlier:

same-security-traffic permit intra-interface

nat (outside) 1 192.168.1.0 255.255.255.0 ---> IP range assigned to the VPN clients.

global (outside) 1 interface

In case this is for an ASA 8.3 or later:

same-security-traffic permit intra-interface

object network vpn-pool

     subnet 192.168.1.0 255.255.255.0

nat (outside,outside) dynamic interface

!

About the VPN configuration:

group-policy mypolicy attributes

     split-tunnel-policy tunnelall

!
tunnel-group mytunnel general-attributes

     defaul-group-policy mypolicy

!

Pros:

1- Internet access controled by the ASA.

Cons:

1- ASA's Internet connection will be highly impacted, since it will be used by the VPN clients to access the Internet.

Alternative solution:

Send all the traffic to an internal Layer 3 device or server which has an external Internet connection, so the ASA forwards all the traffic to this device, if this unit is able to perform advance web filterting like the Microsoft IIS appliance, then you would have a powerful way to control your users and what they access, preventing undesired sites such adult sites and entertaiment.

For this all you need is the following:

route inside 0 0 192.168.10.1 tunneled ---> where the 192.168.10.1 is the internal device in charge of providing Internet.

* Keep in mind that this device must have an external connection to the Internet access, not across the ASA.

Let me know.

Portu.

Please rate any post you find useful.

Message was edited by: Javier Portuguez

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Javier Portuguez
Level 9
Level 9

‎09-13-2012 12:38 PM

Hi,

It sounds like U-turning or Hairpining  for VPN clients, so they could access the Internet across the tunnel.

In case this is for an ASA 8.2 or earlier:

same-security-traffic permit intra-interface

nat (outside) 1 192.168.1.0 255.255.255.0 ---> IP range assigned to the VPN clients.

global (outside) 1 interface

In case this is for an ASA 8.3 or later:

same-security-traffic permit intra-interface

object network vpn-pool

     subnet 192.168.1.0 255.255.255.0

nat (outside,outside) dynamic interface

!

About the VPN configuration:

group-policy mypolicy attributes

     split-tunnel-policy tunnelall

!
tunnel-group mytunnel general-attributes

     defaul-group-policy mypolicy

!

Pros:

1- Internet access controled by the ASA.

Cons:

1- ASA's Internet connection will be highly impacted, since it will be used by the VPN clients to access the Internet.

Alternative solution:

Send all the traffic to an internal Layer 3 device or server which has an external Internet connection, so the ASA forwards all the traffic to this device, if this unit is able to perform advance web filterting like the Microsoft IIS appliance, then you would have a powerful way to control your users and what they access, preventing undesired sites such adult sites and entertaiment.

For this all you need is the following:

route inside 0 0 192.168.10.1 tunneled ---> where the 192.168.10.1 is the internal device in charge of providing Internet.

* Keep in mind that this device must have an external connection to the Internet access, not across the ASA.

Let me know.

Portu.

Please rate any post you find useful.

Message was edited by: Javier Portuguez

0 Helpful

Go to solution
Mohamed Sobair
Level 7
Level 7

‎09-13-2012 12:48 PM

Hello,

Portu makes good suggestion, however, its not a recommended solution for a VPN clients to access thier own Internet while accessing corporate Network at the same time, its a risky solution. So, a Proper way of doing it should be either through the ASA if it doesnt have effect performance for normally low-to-medium number of Users OR You Can direct them as mentioned to another Secure gateway.

HTH

Mohamed

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Mohamed Sobair

‎09-13-2012 12:58 PM

I agree, my previous post was added assuming that tunnel-all is the only option.

Thanks for adding more details Mohamed (5 stars).

0 Helpful

Go to solution
veltech
Level 1
Level 1

‎09-14-2012 01:29 PM

Hi Portu,

We set this up in our Lab and it works fine, thank you. We are just troubleshooting a speed issue over the VPN as it seems to be suffering some sort of speed issue with traffic going out to the internet. We have huge bandwidth 40mb on one connection and 10mb on the other so we would expect to see reasonable speeds for the remote traffic exiting the main site ASA to the internet, but we are only getting 1mb in both directions. The set up is in the lab so has no other traffic on the network.

Thanks,

0 Helpful
Customers Also Viewed These Support Documents