cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1113
Views
5
Helpful
5
Replies

VPN routing question

mbonner011
Level 1
Level 1

Hello: I have an ASA 5516. Users who connect using AnyConnect cannot get to our corporate public website, which on the internal LAN is accessed via an internal 192.x ip. Users on the vpn trying to access the website are being directed to this 192. address but cannot reach it. Is there a way to force or map the vpn users to route to the site using its external/public ip? 

5 Replies 5

Hi,

 

 It is possible but it is better make them get to you website using their vpn IP address. You need to make sure that the IP range they get when connect to the VPN is permitted to reach you webserver. If you are controlling client VPN using ACL then make sure you have a permit for this site.

 You can confirm this buy running a packet tracer on the ASA.

 The other possibility is you to have some filter on the DNS side. You may need to add the VPN network on this filter.

 For further suggestion, would be good if you share you firewall config.

 

 -If I helped you somehow, please, rate it as useful.-

Thanks for the reply. The ip addresses the vpn users receive can reach the website via its internal ip. No ACLs are currently used. I do see that when connected via AnyConnect no default gateway is listed on the pc, not sure if that means anything.

One workaround i found, but dont like, is to add a hosts file mapping to the public website and also check the "allow local lan access" option in the AnyConnect client software.

If you need the config I can send it after cleaning it up a bit.

Matt


 

 You said: "..Users who connect using AnyConnect cannot get to our corporate public website"

 But then you say: "... The ip addresses the vpn users receive can reach the website via its internal ip"

 

 

 They are able to reach through the internal network but dont through the public IP address?  Why you want then to reach thought the public access? 

 The problem of client VPN reach website using your public IP address is the hairpinning problem, when the packet need to enter and leave the same firewall interface.

 Will be much more easy if they can go internal.

 

 

-If I helped you somehow, please, rate it as useful.-

To clarify, if a user was to use the ip they receive through the vpn, on their desktop at work, they can get to the corporate website via the standard URL. However, when connecting through the VPN on their personal machines, they cannot get there using the standard URL. There is only the standard URL. Our website admins and networking teams must have implemented a way for internal users to get to the site without the traffic leaving the LAN. I am not sure why this doesn't work when connected via the vpn, which uses an address pool on the same subnet as internal desktops.

I worked with the TAC on this and we added a public DNS address in front of our internal DNS server, which resolved the issue.