Solved

Configuring Split tunnelling locally

Posted on 2009-04-08
4
538 Views
Last Modified: 2012-05-06
 I have a Sonicwall VPN client connected thru an ASA 5520 across the internet and terminating on a Sonicwall Firewall (VPN Server). I have no internet access thru the VPN so I need to enable split tunnelling. I cannot do this on the remote Sonicwall as its not mine, is there anyway of intercepting HTTP traffic on the ASA before it hits the tunnel and sending it to my proxy server. I know that policy based routing is not available on ASA

many thanks in advance

B
0
Comment
Question by:brucehunter
  • 2
4 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 24105845
See if your Sonicwall VPN client has an option that sets the VPN IP as the default gateway.  If this is not an option in the sonicwall, the issue is with the VPN configuration on the Sonicwall side.

You could alternatively add a lower metric route when a VPN connection is present
route add 0.0.0.0 mask 0.0.0.0 LAN-IP metric 0

route print will tell you what you routing table is.
Post the routing table with public IPs replaced with X.x.x.x if the above is not enough
0
 

Author Comment

by:brucehunter
ID: 24135859
Ok the problem is not with the VPN its working fine, the problem is that the company im connecting to accross the VPN dont allow internet access from remote clients.I dont have access to the Sonicwall VPN server so I cant configure split tunnelling.  I currently have to disconnect my VPN in order to access the internet. I thought maybee I could configure the ASA at my end in such a way as to send HTTP HTTPS to my proxy server while the VPN is up as opposed to accross the VPN.
Appologies I my original post was a bit unclear
0
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
ID: 24137718
The problem you have connot be addressed through the ASA since the Sonicwall VPN client is what sets the parameters on your workstations with the VPN IP as the default gateway.

When the VPN to the sonicwall is established, all internet traffic is sent by your workstations as the routing table indicates through the VPN Tunnel. The ASA can not see the packets in the Tunnel to reroute.

After you establish the Sonicwall VPN, run the following in a command window (cmd.exe):
netstat -rn
This is the routing table for your workstation.  You will likely see the VPN IP referenced as the default gateway.

You can look through the Sonicwall VPN whether you can control the default gateway setting. I.e. use default gateway on remote network or any option that deals with routing all traffic through the VPN. And change that.

(Make sure you record what changes you make one at a time so that you can reverse  it in the event the changes break your ability to establish a VPN in the first place.)

The other option is to ask the VPN admin on the Sonicwall to configure their VPN policy to secure only specific segments rather than everything.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24779646
As already told, the client has to be changed, ASA (and any other router) has no knowledge about the traffic contents as it is encrypted.

You can try if you could trick the client into ignoring SonicWall VPN settings by changing local routes (chances are fifty-fifty):
AFTER connected, set this two routes:
route add 0.0.0.0 mask 128.0.0.0 your.gateway.address.here
route add 128.0.0.0 mask 128.0.0.0 your.gateway.address.here

Some VPN clients check for existing routes, and remap all found if split-tunneling is not allowed. If above routes exist BEFORE connected, they might be remapped. If so, you have to delete them after disconnect or before connect, and recreate them while connected.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now