09-13-2012 12:13 PM
We have a customer who wants to route all internet traffic from their remote sites over their head office internet connection. Put another way when their users connect to head office using Cisco VPN client on their PC, we need to route all internet traffic out through the head office firewall. Head Office is running an ASA where all VPN configuration is held. We have a number of VPNs set up for this customer but would welcome suggestions as to the best way to configure this particular step.
Many thanks.
Solved! Go to Solution.
09-13-2012 12:38 PM
Hi,
It sounds like U-turning or Hairpining for VPN clients, so they could access the Internet across the tunnel.
In case this is for an ASA 8.2 or earlier:
same-security-traffic permit intra-interface
nat (outside) 1 192.168.1.0 255.255.255.0 ---> IP range assigned to the VPN clients.
global (outside) 1 interface
In case this is for an ASA 8.3 or later:
same-security-traffic permit intra-interface
object network vpn-pool
subnet 192.168.1.0 255.255.255.0
nat (outside,outside) dynamic interface
!
About the VPN configuration:
group-policy mypolicy attributes
split-tunnel-policy tunnelall
!
tunnel-group mytunnel general-attributes
defaul-group-policy mypolicy
!
Pros:
1- Internet access controled by the ASA.
Cons:
1- ASA's Internet connection will be highly impacted, since it will be used by the VPN clients to access the Internet.
Alternative solution:
Send all the traffic to an internal Layer 3 device or server which has an external Internet connection, so the ASA forwards all the traffic to this device, if this unit is able to perform advance web filterting like the Microsoft IIS appliance, then you would have a powerful way to control your users and what they access, preventing undesired sites such adult sites and entertaiment.
For this all you need is the following:
route inside 0 0 192.168.10.1 tunneled ---> where the 192.168.10.1 is the internal device in charge of providing Internet.
* Keep in mind that this device must have an external connection to the Internet access, not across the ASA.
Let me know.
Portu.
Please rate any post you find useful.
Message was edited by: Javier Portuguez
09-13-2012 12:38 PM
Hi,
It sounds like U-turning or Hairpining for VPN clients, so they could access the Internet across the tunnel.
In case this is for an ASA 8.2 or earlier:
same-security-traffic permit intra-interface
nat (outside) 1 192.168.1.0 255.255.255.0 ---> IP range assigned to the VPN clients.
global (outside) 1 interface
In case this is for an ASA 8.3 or later:
same-security-traffic permit intra-interface
object network vpn-pool
subnet 192.168.1.0 255.255.255.0
nat (outside,outside) dynamic interface
!
About the VPN configuration:
group-policy mypolicy attributes
split-tunnel-policy tunnelall
!
tunnel-group mytunnel general-attributes
defaul-group-policy mypolicy
!
Pros:
1- Internet access controled by the ASA.
Cons:
1- ASA's Internet connection will be highly impacted, since it will be used by the VPN clients to access the Internet.
Alternative solution:
Send all the traffic to an internal Layer 3 device or server which has an external Internet connection, so the ASA forwards all the traffic to this device, if this unit is able to perform advance web filterting like the Microsoft IIS appliance, then you would have a powerful way to control your users and what they access, preventing undesired sites such adult sites and entertaiment.
For this all you need is the following:
route inside 0 0 192.168.10.1 tunneled ---> where the 192.168.10.1 is the internal device in charge of providing Internet.
* Keep in mind that this device must have an external connection to the Internet access, not across the ASA.
Let me know.
Portu.
Please rate any post you find useful.
Message was edited by: Javier Portuguez
09-13-2012 12:48 PM
Hello,
Portu makes good suggestion, however, its not a recommended solution for a VPN clients to access thier own Internet while accessing corporate Network at the same time, its a risky solution. So, a Proper way of doing it should be either through the ASA if it doesnt have effect performance for normally low-to-medium number of Users OR You Can direct them as mentioned to another Secure gateway.
HTH
Mohamed
09-13-2012 12:58 PM
I agree, my previous post was added assuming that tunnel-all is the only option.
Thanks for adding more details Mohamed (5 stars).
09-14-2012 01:29 PM
Hi Portu,
We set this up in our Lab and it works fine, thank you. We are just troubleshooting a speed issue over the VPN as it seems to be suffering some sort of speed issue with traffic going out to the internet. We have huge bandwidth 40mb on one connection and 10mb on the other so we would expect to see reasonable speeds for the remote traffic exiting the main site ASA to the internet, but we are only getting 1mb in both directions. The set up is in the lab so has no other traffic on the network.
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide