Solved: local access on ssl vpn

suthomas1 · ‎10-02-2011

Hi,

following is the setup:

Users(location A) ---- Internet - ASA ( ssl vpn ) - LocationB

users in location A use ssl vpn via web to connect themselves to resources in location B. this is successful.

However, the location A users need to access their own internal network resources at A while they are still connected to SSL VPN.

So, if a user from Location A is connected to ssl vpn, they can ping to ip's in location B, but their own internal network ip's are not pingable anymore.

ASA ver is 8.0(4)

Please help , how this can be done and if there is any different configuration for this. Do we need to use tunnelling.

Thanks in advance.

Lee Valentin · ‎10-03-2011

Correct, so instead of tunneling ALL traffic, you will need to only tunnel 154.65.0.0/22

access-list sslvpnsplittunnel standard permit ip 154.65.0.0 255.255.252.0

Apply the ACL to the SSL VPN Group Policy

View solution in original post

Lee Valentin · ‎10-03-2011

Need to configure Split Tunneling at LocationB

http://goo.gl/RCr5Y

Configured correctly, SSL VPN Users to only encrypt traffic destined for LocationB

Good luck

suthomas1 · ‎10-03-2011

thank you Lee.So if i configure split tunneling on the asa, should we select "Tunnel network list below" or "exclude network list below" under particular policy. the requirement is to allow location A users to access their own network 10.55.0.0 /16 while still being connected to ssl vpn and accessing resources at location B network.

Since the access required is local also, shouldnt we exclude the local subnet from being encrypted by the tunnel.

in this scenario, will 10.55.0.0 /16 need to be put under either of the two options.

Lee Valentin · ‎10-03-2011

Tunnel Network List Below and use the LAN block at LocationB that the remote users require access to.

suthomas1 · ‎10-03-2011

Thanks again Lee.Apologies, But i feel my question has not been understood correctly. Maybe i have not stated it properly.let me re-phrase it.

Users(location A 10.55.0.0/16) ---- Internet - ASA ( ssl vpn ) - LocationB (154.65.0.0 /22 )

loc A users connect to ssl vpn on asa and can successfully access 154.65.0.0 /22 on loc B. Now the need is to also let loc A users connect and use their own internal lan 10.55.0.0 /16 while they are still connected to ssl vpn.

in this scenario, is tunnel network list and usage of lan block correct.

thanks again.

Lee Valentin · ‎10-03-2011

Correct, so instead of tunneling ALL traffic, you will need to only tunnel 154.65.0.0/22

access-list sslvpnsplittunnel standard permit ip 154.65.0.0 255.255.252.0

Apply the ACL to the SSL VPN Group Policy

suthomas1 · ‎10-03-2011

So, if asdm is used to configure, we should put 154.66.0.0 /22 under "tunnel network list below" option in policy. Please correct me if this is wrong.

another query related to this, the asa used here is also being used by other entity like users from Location C . In this case, after split tunnel is enabled for Loc A to access its own lan 154.66.0.0/22 while still connected to ssl vpn, will this also allow loc C to access loc A's internal network, since split tunel is enabled and both A & C are using the same device for vpn.

thanks in advance.

Lee Valentin · ‎10-03-2011

Correct.

Any remote users tied to that policy will only tunnel 154.66.0.0/22