Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
5
Helpful
4
Replies

VPN routing clarification

Tarik Admani
VIP Alumni
VIP Alumni

‎01-16-2013 11:32 PM

Hi,

I have a scenario which I am pretty sure is a limitiation of the ASA/VPN but I wanted to make sure I was correct.

If i have a single inet gateway/vpn concentrator (ASA) configured at a site with ironport. If i wanted to route the client's subnet through the ASA to a next hop on my core by using the "tunneled" keyword. If a vpn user wants to hit the internet (assuming no hairpin or split tunnel config) the return traffic will be dropped at the ASA. This is because the active connection (from inside) and the route lookup (which is on the outside) will cause the packet to drop?

I ask this because I have a customer that has an ironport configuration and would like to enforce the same web policies as their inside users. The only workaround I can come up with, is to use the msie proxy settings on the group policy.

Thanks so much for your help! I really need some assurance on this one!

Thanks,

Tarik Admani
*Please rate helpful posts*       

Labels:
0 Helpful
4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

‎01-19-2013 11:15 PM

I wanted to know if anyone could provide some insight.

Thanks in advance.

Tarik Admani

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to Tarik Admani

‎01-20-2013 04:58 AM

I think even if the ASA will allow that traffic on the way to the internet (cause route lookup does check for the destination address), the returning traffic will be sent by the ASA directly to the client, due to route lookup. Then traffic flow would be unidirectional for websense, wich probably not good. Everything is IMHO)

Maybe it's better to use some kind of NAT somewhere on the inside part of a network and translate that vpn-assigned pool to smth else when going to the internet?

Tarik Admani
VIP Alumni
VIP Alumni
In response to Andrew Phirsov

‎01-20-2013 08:10 AM

Andrew,

Thanks for you feedback, that is what I was afraid of. My suggestion would be to deploy another firewall and use the existing (licensing) as their vpn head end, and the other as their internet gateway. Since they have ironport I was thinking of using the msie proxy settings instead of wccp so that the source address gets overwritten.

I do not want to recommend disabling tcp randomization since that to me would be susceptable for a man in the middle attack.

Thanks for your feedback.

Tarik Admani

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Tarik Admani

‎01-24-2013 10:10 PM

I wanted to know if anyone has run into this or if this is documented anywhere. I am sure the issue is related to either tcp randomization or uRPF, however I am struggling to find any documentation that backs up my findings in the lab.

Essentially what I need to do is route all vpn traffic to the core and then route it back through the same ASA through the inside interface.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents