Solved

Configuring Split tunnelling locally

Posted on 2009-04-08
4
539 Views
Last Modified: 2012-05-06
 I have a Sonicwall VPN client connected thru an ASA 5520 across the internet and terminating on a Sonicwall Firewall (VPN Server). I have no internet access thru the VPN so I need to enable split tunnelling. I cannot do this on the remote Sonicwall as its not mine, is there anyway of intercepting HTTP traffic on the ASA before it hits the tunnel and sending it to my proxy server. I know that policy based routing is not available on ASA

many thanks in advance

B
0
Comment
Question by:brucehunter
  • 2
4 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 24105845
See if your Sonicwall VPN client has an option that sets the VPN IP as the default gateway.  If this is not an option in the sonicwall, the issue is with the VPN configuration on the Sonicwall side.

You could alternatively add a lower metric route when a VPN connection is present
route add 0.0.0.0 mask 0.0.0.0 LAN-IP metric 0

route print will tell you what you routing table is.
Post the routing table with public IPs replaced with X.x.x.x if the above is not enough
0
 

Author Comment

by:brucehunter
ID: 24135859
Ok the problem is not with the VPN its working fine, the problem is that the company im connecting to accross the VPN dont allow internet access from remote clients.I dont have access to the Sonicwall VPN server so I cant configure split tunnelling.  I currently have to disconnect my VPN in order to access the internet. I thought maybee I could configure the ASA at my end in such a way as to send HTTP HTTPS to my proxy server while the VPN is up as opposed to accross the VPN.
Appologies I my original post was a bit unclear
0
 
LVL 77

Accepted Solution

by:
arnold earned 250 total points
ID: 24137718
The problem you have connot be addressed through the ASA since the Sonicwall VPN client is what sets the parameters on your workstations with the VPN IP as the default gateway.

When the VPN to the sonicwall is established, all internet traffic is sent by your workstations as the routing table indicates through the VPN Tunnel. The ASA can not see the packets in the Tunnel to reroute.

After you establish the Sonicwall VPN, run the following in a command window (cmd.exe):
netstat -rn
This is the routing table for your workstation.  You will likely see the VPN IP referenced as the default gateway.

You can look through the Sonicwall VPN whether you can control the default gateway setting. I.e. use default gateway on remote network or any option that deals with routing all traffic through the VPN. And change that.

(Make sure you record what changes you make one at a time so that you can reverse  it in the event the changes break your ability to establish a VPN in the first place.)

The other option is to ask the VPN admin on the Sonicwall to configure their VPN policy to secure only specific segments rather than everything.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24779646
As already told, the client has to be changed, ASA (and any other router) has no knowledge about the traffic contents as it is encrypted.

You can try if you could trick the client into ignoring SonicWall VPN settings by changing local routes (chances are fifty-fifty):
AFTER connected, set this two routes:
route add 0.0.0.0 mask 128.0.0.0 your.gateway.address.here
route add 128.0.0.0 mask 128.0.0.0 your.gateway.address.here

Some VPN clients check for existing routes, and remap all found if split-tunneling is not allowed. If above routes exist BEFORE connected, they might be remapped. If so, you have to delete them after disconnect or before connect, and recreate them while connected.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now