cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2150
Views
5
Helpful
13
Replies

Split-tunneling with Websites that have multiple IPs

hanwucisco
Level 1
Level 1

Hundreds famous websites (such as YouTube and Facebook) are blocked on our remote sites. We need these site VPN to our HQ to access them. We need to do split-tunneling.

These websites consists of many IPs from different subnets and spread out through the whole Internet. When you are split-tunneling the IPs based, it is impractical for me to add IP one by one.

So, what is the best way to handle this?

Han

1 Accepted Solution

Accepted Solutions

Yes, it will be hard to say since that decision is made by the FB server.

HTH.

Portu.

View solution in original post

13 Replies 13

Hi Han,

You use Split-tunneling when you want your user to be able to access remote resources behind the VPN server and at the same time be able to access any other resources though their local networks.

So, May I know why want them to access Facebook or YouTube across the tunnel (getting to the ASA or Router)?

In case you would like to access this websites through the tunnel, I think there are two ways:

1- Define every single IP address.

2- Have your VPN users resolve Facebook and YouTube through a specific internal DNS server across the tunnel, this server will only resolve to one single IP address or group of IPs. Then you add these IPs to your split-tunneling list.

Let me know.

Portu.

Please rate any helpful posts

"So, May I know why want them to access Facebook or YouTube across the tunnel (getting to the ASA or Router)?"

A: Many of our customer work inside other company/governent networks.  These networks blocks the websites. they need to access the webs. and our customers we are setting up this remote vpn.

Of the two ways you mentioned. The second one sounds a good solution. Will I have to define IP ACL for the split-tunneling? How does traffic go when you use it? Is it like?

User sends a DNS for www.facebook.com. The internal server at HQ replies. Then, traffic from Facebook encrypted through tunnel to the user?

If it is, it can save me a lot time on listing the IPs

Thanks,

Han

Han,

The second option must be evaluated in a lab with a real DNS server and the proper captures from a user's machine since we need to confirm Web redirections and other variables. In case your DNS server can have control over this, then you will be able to reduce the number if IP adresses.

Once you have the list of required IPs in order to open a facebook session succesfully, then just add them to the split-ACL.

access-list SPLIT permit xxxx.xxxx.xxxx.xxxx

access-list SPLIT permit xxxx.xxxx.yyyy.yyyy

group-policy RA_SPLIT attributes

     split-tunnel-policy tunnelspecified

     split-tunnel-network-list value SPLIT

Hope to help.

Portu.

Please rate any helpful posts

Portu,

" The second option must be evaluated in a lab with a real DNS server  and the proper captures from a user's machine since we need to confirm  Web redirections and other variables. In case your DNS server can have  control over this, then you will be able to reduce the number if IP  adresses. "

I have difficulties understanding this techinque, do you have any link that i can read or can you elaborate?

thanks,

han

Han,

When a user connects to a website like Facebook, does not only hit one IP, since the server redirects the session to a different server (load-balancing, specific / dedicated functions, etc).

So, you may want to have a user access Facebook from his machine, run Wireshark and get all the Facebook IP addresses (IPs involved during the session) and then include these to the split-tunneling list.

Depending on the specific FW rules they have on their site, they may be able to resolve the names locally but still access the server through the tunnel or you can have them resolve Facebook with your DNS server at HQ through the tunnel.

Keep me posted.

Portu.

So, Portu,

From what you are saying, I get that, if Facebook has 30 IPs, you have to find them first and manually put all this IPs(either hosts or subnets) into the ACL list?

Which makes thinks how those Porxies like Bluecoat do? I guess they only need to block say "Facebook.com" then, all the traffic is blocked or permitted

can ASA split-tunneling do something similar to this?

thanks,

Han

Han,

Unfortunately no.

Split-tunneling does work at layer 3 level. You can have the VPN client send any DNS request to "facebook.com" across the tunnel (using split-dns) but it does not mean that the client will route the return IP address across the tunnel.

For this you will need to use "tunnelall" which as you know, sends all the traffic across the tunnel, in case you still need to access local resources then you may used "excludespecified" as discussed in a different post.

Thanks.

Portu.

Portu,

So, for this case, will an SSL VPN ( or, any other vpn, still on ASA) makes any difference?

thanks,

Han

Han,

Yes there is another option.

You could use the WebVPN solution and create a bookmark for "www.facebook.com".

Then your users access the portal (which is encrypted) and click on the bookmark. As long as the ASA has the correct DNS settings, "www.facebook.com" will be resolved and the user will be able to access this social network across the protected tunnel.

I think this is going to be the best option to get this working. However, by default the ASA will only allow to simultaneous SSL connections, so you will need to purchase more licenses.

Here is an example:

Configuring Clientless SSL VPN

How to configure the bookmark:

Configuring Bookmarks

Keep me posted.

Thanks for all your time and great collaboration towards the resolution of this post

Portu.

Message was edited by: Javier Portuguez

It sounds better than "edit ip numbers".

In the following case, what will happen?

HQ is in DC, A user in LA  and he web-vpns in the ASA, click the tab and DNS works fine, then the server(facebook) decided using its server in LA to the user. it means traffic will from LA--DC(asa)===LA(user)?

or the facebake, still sends the traffic from the one that near DC?

or it is hard to say?

I'll be deciding whether we go with webvpn.

thanks,

Han

Yes, it will be hard to say since that decision is made by the FB server.

HTH.

Portu.

Thanks, Portu, for the helpful info.

Dear Han,

It is always a pleasure working with you my friend

Thanks a lot.