Split Tunnel VPN and routing public ip traffic

waysystems · ‎12-14-2011

Hi Everyone,

I have my split tunnel vpn working well but I need to make an adjustment. We have a few systems in the "cloud" and we only allow access from our corporate WAN IP to those servers. I need to be able to access those servers via VPN connection to the office. I added that public IP subnet to my interesting traffic and the vpn client is sending the traffic across the VPN as expected. The issue is that it somehow drops out inside the firewall it seems. Almost like it doesn't know how to route that request back out to the internet using it's own default gateway. Any thoughts as to what I may be missing, here is some of the relevant code

same-security-traffic permit intra-interface

----Interesting Traffic------

access-list vpnpool standard permit 10.1.1.0 255.255.255.0

access-list vpnpool standard permit 10.31.26.0 255.255.255.0

access-list vpnpool standard permit 10.31.61.0 255.255.255.0

access-list vpnpool standard permit 10.31.3.128 255.255.255.192

access-list vpnpool standard permit 10.31.40.128 255.255.255.240

access-list vpnpool standard permit 10.31.40.64 255.255.255.192

access-list vpnpool standard permit 50.57.0.0 255.255.0.0 -- Network of cloud servers

---Natting----------

global (outside) 1 71.174.57.78

global (dmz) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 10.1.1.0 255.255.255.0

nat (qa) 1 200.200.200.0 255.255.255.0

nat (dmz) 1 10.1.11.0 255.255.255.0

nat (dmz2) 1 192.168.1.0 255.255.255.0

---Rules and Gateway-------

access-group inbound in interface outside

access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 71.174.57.1 1

---VPN-----

group-policy xxx-remote internal

group-policy xxx-remote attributes

wins-server value 10.1.1.5

dns-server value 10.1.1.5 10.1.1.6

vpn-idle-timeout 60

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

ipsec-udp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnpool

default-domain value xxx.local

split-dns value xxxx.local

service-type remote-access

tunnel-group xxx-vpn type remote-access

tunnel-group xxx-vpn general-attributes

address-pool vpnpool

authentication-server-group (outside) RADIUS

authentication-server-group (dmz) RADIUS

default-group-policy xxx-remote

tunnel-group xxx-vpn ipsec-attributes

pre-shared-key xxxxx

Keith McElroy · ‎12-14-2011

I haven't done this with the older code in a while, but I believe it comes out to something like nat (outside) 1 x.x.x.x (the x being your IP of the VPN). Remember the RA VPN actually drops at the outside interface, not the inside, so it will have to be treated as such with the nat rules. I currently do this same thing you are trying to do on the 8.3 code.

waysystems · ‎12-14-2011

I am running 8.0 (3) on an ASA 5510 if that helps

waysystems · ‎12-14-2011

Hi,

I added the following line and my config and I was able to access my remote servers. The problem is that my ability to browse the rest of the internet stopped and I couldn't acecss other servers that are on a site to site vpn.

nat (Outside) 1 10.1.10.0 255.255.255.0

Keith McElroy · ‎12-14-2011

OK, should probably do it like this then.

nat (Outside) 1 access-list VPN-NAT

access-list VPN-NAT deny ip 10.1.10.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list VPN-NAT permit ip 10.1.10.0 255.255.255.0 any

This should deny the NAT for any traffic to your internal subnets while allowing it to be NATed for the external stuff. If you have other subnets other than 10.0.0.0/8, you can add them to the ACL with deny statements before the permit at the end.

waysystems · ‎12-15-2011

I tried your suggestion but I got the following error...

ERROR: Deny rules not supported in Policy Nat

I put the following rules and everything seems to work fine execpt for browsing the internet. I can't tell if it's a DNS issue, the rest of the internet is not part of the interesting traffic ACL so I imagine it's not trying to go through the VPN but it seems I can't resolve DNS names.

access-list vpn_nat permit ip 10.1.10.0 255.255.255.0 50.57.0.0 255.255.0.0

nat (Outside) 1 access-list vpn_nat

Keith McElroy · ‎12-15-2011

That was my mistake, I am mixing up code here. The fun of switching between new and old ASA code as well as routers

Let's do it this way, this should fix the problem. Put the NAT command the way it was as follows:

nat (Outside) 1 10.1.10.0 255.255.255.0

Now we add a NAT0 for the Outside interface. You can reuse the ACL we made if you want or make a new one, your call since you have to administrate it.

no access-list VPN-NAT

access-list VPN-NAT0 permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.0.0.0

nat (Outside) 0 access-list VPN-NAT0

Now, this should properly NAT the traffic going to the Internet while excluding the traffic destined for your 10.0.0.0/8 subnet using the Nat 0.

Sorry for the round about fix, but that should take care of it.

waysystems · ‎12-15-2011

So everything works except for the rest of the internet haha. Very close but it seems I can't get any DNS results back for some reason. Using nslookup I keep timing out when talking to 10.1.1.5 for DNS. I remove the nat statements and go back to my original config and all is well again.

My wireless adaptor is giving me a DNS entry of 10.1.10.1

My Cisco VPN adaptor is giving me a DNS entry of 10.1.1.5 (AD/DNS) server which is correct.

Nslookup is tell me I am using 10.1.1.5

Any thoughts?

Keith McElroy · ‎12-15-2011

Well, the .local as your DNS domain may be the issue. I'm not great with DNS, but I believe that is non-routable, so it won't pass. I could be way off base on this, but that is my thought on it. Everything else should be fine as long as you don't have an internal ACL on the inside interface (I don't see one, but not sure if you happened to exclude that).

Probably should have included an example. In my current split DNS setup for one of our remote access ASAs, we use specific domains we want to resolve inside. So if I was at google, I would use:

default-domain value google.com

split-dns value google.com