10-28-2013 11:09 AM
OK .. crazy question here. I have a VPN client either on the older concentrator using IPSec or the newer ASA but both profiles are set to tunnel everything. How does traffic flow if I go to say www.google.com. Does it flow from the client to the concentrator then inside to follow my internet rules there or does it flow from the client to the concentrator then follow the default rules for the concentrator itself?
Brent
10-28-2013 11:22 AM
I guess the answer to this would depend on your design and whether or not you are using NAT hairpinning. I seen seen both where the ASA will hairpin the clients internet traffic back out of the OUTSIDE interface and I have also seen a design where there was a default route on the ASA with the "tunneled" argument which instructs the ASA to forward VPN client traffic to a next hop IP address where the clients internet traffic can then be proxied.
10-28-2013 02:28 PM
Erick,
I guess I fall into the hairpinning catagory. Playing with different traceroutes and pings I am going back out the internet via the default route for the concentrator and ASA. If I traceroute from my client back to a system on the inside there are four hops and they make sense. If I traceroute from the client to say google then I have about 16 hops and it does complete. I am now trying to figure out why HTTP to say google does not work. I am thinking that may be somethign up with my cloud firewall provider. That is what started this whole thing in the first place.
I was just wodering if there was a way to have the default route for just my Address pool point back towards the inside. I guess that would be a NAT to a new VLAN on the inside?
Brent
10-28-2013 02:57 PM
Hi bberry,
This would again depend on your design. If you have more than one exit point to the internet, you can send your VPN client traffic to the internal network by using the "tunneled" keyword at the end of your static route statement on the ASA and let your internal network perform the default routing to a different exit point for internet access Just remember that your internal network needs to have a route back to your VPN client's subnet for that to work.
If you only have one point out of your network to the internet, then it really doesn't make any sense to send your VPN client's internet traffic to your internal network. NAT hairpinning would be the solution for that design or allow your clients to use split tunneling.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide