05-21-2008 12:33 AM
hi,
i have configured my asa 5520 v 7.2 for remote VPN. Its is working fine. I need to provide my client access to internet without enabling split tunnel. I have gone through some doc for e.g the below one:
the above one is not enough more me as a have a different requirement
i want my client to VPN to ASA and for accessing internet i have got ISA connected to VPN device. All my vpn clients want to access internet they should use this for internet access. My ISA server is in same subnet of VPN device by uses a different gw for internet access.
pls comment
Solved! Go to Solution.
 
					
				
		
05-22-2008 01:55 AM
Add the below:-
group-policy staffvpn attributes
msie-proxy method use-server
msie-proxy server value x.x.x.x
msie-proxy local-bypass disable
group-policy staffvpn attributes
msie-proxy method use-server
msie-proxy server value x.x.x.x
msie-proxy local-bypass disable
group-policy newstaffvpn attributes
msie-proxy method use-server
msie-proxy server value x.x.x.x
msie-proxy local-bypass disable
username adel attributes
msie-proxy method use-server
msie-proxy server value x.x.x.x
msie-proxy local-bypass disable
username waled attributes
msie-proxy method use-server
msie-proxy server value x.x.x.x
msie-proxy local-bypass disable
To which ever remote VPN group you want to test with. x.x.x.x is the IP address of the ISA server.
HTH.
 
					
				
		
05-21-2008 10:51 PM
Adil,
To be honest - not so easy, right off the bat the easiest way I can think of is to:-
1) Tunnel All
2) Then add the below
group-policy <
msie-proxy method use-server
msie-proxy server value x.x.x.x
msie-proxy local-bypass disable
x.x.x.x = ISA IP Address
The above will push internet explorer proxy settings into the remote users browser. Obviously it only works with IE (ho hum) I have tested this in the lab with Squid Proxy Server, not ISA but it worked quite well.
HTH.
05-21-2008 11:08 PM
Great HTH,
what do you mean by tunnel all. All VPN clients are connecting as remote VPN
can i set couple of tunnels i.e. for corp network use tunnel which is point to inside device and for any 0.0.0.0 traffic point the tunnel to isa which can act as gateway?
can you send me some docs on how can this be done.
appreciate you comments.
regs,
a
 
					
				
		
05-21-2008 11:15 PM
Tunnel All - means you are encrypting all the traffic from the VPN client to the ASA.
Split-tunneling - which means you encrypt specific IP subnets
Tunnel all with local LAN access - which is the client can reach the local subnet (for local printing etc) anything else is encrypted.
You could set that up yes, do you have any existing remote VPN configuration? As it would be easier to modify existing tunnel policies?
05-21-2008 11:17 PM
Here are some great examples of configurations:-
http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_configuration_examples_list.html
HTH.
05-22-2008 12:10 AM
 
					
				
		
05-22-2008 01:55 AM
Add the below:-
group-policy staffvpn attributes
msie-proxy method use-server
msie-proxy server value x.x.x.x
msie-proxy local-bypass disable
group-policy staffvpn attributes
msie-proxy method use-server
msie-proxy server value x.x.x.x
msie-proxy local-bypass disable
group-policy newstaffvpn attributes
msie-proxy method use-server
msie-proxy server value x.x.x.x
msie-proxy local-bypass disable
username adel attributes
msie-proxy method use-server
msie-proxy server value x.x.x.x
msie-proxy local-bypass disable
username waled attributes
msie-proxy method use-server
msie-proxy server value x.x.x.x
msie-proxy local-bypass disable
To which ever remote VPN group you want to test with. x.x.x.x is the IP address of the ISA server.
HTH.
05-22-2008 02:23 AM
great...
after aplying this will i have any issues accessing my servers applications brwoser based in my internal network
thanks,
 
					
				
		
05-22-2008 02:27 AM
Only if you don't have the ACL in the interface with the ISA server to allow the traffic from the lower interface into the higher interface! and of course check your NAT rules out.....other than that, configure; test and troubleshoot if required!
HTH.
05-22-2008 02:30 AM
many thnx
 
					
				
		
05-22-2008 02:36 AM
np - glad to help.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide