cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
734
Views
0
Helpful
3
Replies

Remote VPN Working, but Split Tunnel external traffic blocked?

Ben Sebborn
Level 1
Level 1

Hi

Scenario:

Cisco ASA 5505

We have Remote VPN working and we can access our office network from a remote VPN client, and the other way around also.

We would now like to extend this config, so that when accessing a set of IPs on the internet (our website), any remote VPN clients must route their traffic over the VPN (so the website sees our office IP, not the remote client's internet IP)

So,

officenetwork: 192.168.2.0/24

VPN Pool: 192.168.4.0/24

External IP of website is within the group 'rackspace-public-ips'

We can successfully ping from 192.168.2.0 <> 192.168.4.0

We can successfully access public internet addresses. However when we enable a split tunnel, we cannot access the 'rackspace-public-ips'

address any more.

Config:

access-list vpn_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0

access-list vpn_splitTunnelAcl_1 standard permit x.x.x.x 255.255.255.252

access-list vpn_splitTunnelAcl_1 standard permit x.x.x.x 255.255.255.248

(where x.x.x.x are the individual IPs defined within the rackspace-public-ips group)

access-list officenetwork_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.4.0 255.255.255.0

object-group network officenetwork-network

object-group network DM_INLINE_NETWORK_1

network-object 192.168.2.0 255.255.255.0

group-object rackspace-public-ips

global (publicinternet) 1 interface

nat (officenetwork) 0 access-list officenetwork_nat0_outbound

nat (officenetwork) 1 0.0.0.0 0.0.0.0

route publicinternet 0.0.0.0 0.0.0.0 192.168.3.1 1

group-policy vpn attributes

dns-server value 192.168.2.199

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn_splitTunnelAcl_1

default-domain value office.internal

split-dns value office.internal

What am I missing guys?

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Would really need more information.

From what I gather you have a /30 mask subnet and /29 mask subnet of public IP addresses? Are these located behind the ASA? I mean behind the "officenetwork" interface?

If these are actually public IP addresses on the "publicinternet" interface (or routed towards that interface since you have 2 subnets) used in Static NAT configurations for the servers then you are most likely running into problem with the NAT configurations.

This would be because you are doing NAT0 for the internal IP addresses while you are actually trying to reach the public IP address.

If both of these public subnets are used as NAT IP address on the edge of the firewall and not behind it in the internal network (directly on the servers) then I was thinking that trying "deny" statements on the NAT0 configuration might do the trick. (If it was supported, I do remember that it should be supported but I am not 100% sure)

access-list officenetwork_nat0_outbound line 1 remark Avoid NAT0 for Server to VPN Client

access-list officenetwork_nat0_outbound line 2 deny ip host 192.168.4.0 255.255.255.0

access-list officenetwork_nat0_outbound line 3 deny ip host 192.168.4.0 255.255.255.0

and so on.

So if anything of the above makes sense depends if the public IP addresses are located behind the ASA on the internal network or if they are actually the public NAT IP address of hosts on the network 192.168.2.0/24

- Jouni

Hi

I managed to fix this, by adding the following:

nat (publicinternet) 1 192.168.4.0 255.255.255.0

Many thanks

Hi,

That would seem to point to a situation where these servers are actually outside your network?

You are just tunneling the traffic towards some public servers through the VPN and out the ASA?

But again I have no idea what the actual setup is.

Main thing is though that its working

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: