Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco VPN - Unable to browse Internet once connected to Internet

Posted on 2010-09-04
8
Medium Priority
?
1,072 Views
Last Modified: 2012-05-10
I know most are thinking "enable split tunnelling" when they read the title, and perhaps that's what I ultimately have to do. But I want to force the client to use the remote gateway (ASA 5505) to access the Internet once connected, for security reasons. I know there are performance issues with that but I don't want a system being open to access while connected to our VPN. In a nutshell, I want the VPN client to be able to still access Internet resources while connected, but by the most secure means even if it's sacrificing performance.

Here's our set up:

DSL - ASA 5505 - SBS 2008 (192.168.1.25) Server which acts as a DNS as well


: Saved
:
ASA Version 8.0(2) 
!
hostname ASA5505
domain-name domain.local
enable password O/4va7NOU8F5vh4C encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address OUR.STATIC.IP 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone NST -3 30
clock summer-time NDT recurring 1 Sun Apr 0:01 last Sun Oct 0:01
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.25
 name-server ISP.PROVIDED.DNS
 domain-name domain.local
same-security-traffic permit intra-interface
object-group service MobileAdmin tcp
 port-object eq 4055
object-group service pop3-SSL tcp
 description POP3 over SSL
 port-object eq 995
object-group service IMAP-SSL tcp
 description IMAP SSL Access
 port-object eq 993
object-group service RemoteWSS tcp
 description Remote access for SharePoint through RWW
 port-object eq 987
access-list outside-in extended permit tcp any interface outside eq https 
access-list outside-in extended permit tcp any interface outside object-group pop3-SSL 
access-list outside-in extended permit tcp any interface outside eq smtp 
access-list outside-in extended permit tcp any interface outside eq 4125 
access-list outside-in remark MobileAdmin
access-list outside-in extended permit tcp any interface outside eq 4055 
access-list outside-in extended permit tcp any interface outside eq 3389 inactive 
access-list outside-in extended permit tcp any interface outside object-group IMAP-SSL 
access-list outside-in extended permit tcp any interface outside object-group RemoteWSS 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.224 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list vpn_splitTunnelAcl_1 standard permit any 
access-list VPN_splitTunnelAcl standard permit any 
access-list outside_nat extended permit ip 10.10.10.0 255.255.255.0 any 
access-list out_nat0 extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
logging from-address my@email.com
logging recipient-address my@email.com level errors
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.10.10.2-10.10.10.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list out_nat0 outside
static (inside,outside) tcp interface https 192.168.1.25 https netmask 255.255.255.255 
static (inside,outside) tcp interface smtp 192.168.1.25 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface 4125 192.168.1.25 4125 netmask 255.255.255.255 
static (inside,outside) tcp interface 4055 192.168.1.35 4055 netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.1.25 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 995 192.168.1.10 995 netmask 255.255.255.255 
static (inside,outside) tcp interface 993 192.168.1.10 993 netmask 255.255.255.255 
static (inside,outside) tcp interface 987 192.168.1.25 987 netmask 255.255.255.255 
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 ISP.PROVIDED.GATEWAY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Administration protocol radius
aaa-server Administration host 192.168.1.35
 timeout 5
 key *******
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map system-default-crypto-map 20 set pfs 
crypto dynamic-map system-default-crypto-map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer REMOTE.SITE.VPN.IP 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic system-default-crypto-map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.150 inside
dhcpd dns 192.168.1.25 ISP.PROVIDED.DNS interface inside
dhcpd wins 192.168.1.25 interface inside
dhcpd lease 604800 interface inside
dhcpd ping_timeout 500 interface inside
dhcpd domain domain.local interface inside
!

threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 1024
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
webvpn
 enable outside
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.1.10
 dns-server value 192.168.1.10 ISP.PROVIDED.DNS
 default-domain value domain
 address-pools value vpnpool
group-policy ourVPN internal
group-policy ourVPN attributes
 wins-server value 192.168.1.25
 dns-server value 192.168.1.25 ISP.PROVIDED.DNS
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 split-tunnel-policy tunnelall
 default-domain value domain.local
username username password xcWpz0jIlO9W.qkb encrypted
username username attributes
 vpn-group-policy ourVPN
 vpn-filter value outside_nat
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
tunnel-group ourVPN type remote-access
tunnel-group ourVPN general-attributes
 address-pool vpnpool
 authentication-server-group Administration LOCAL
 default-group-policy ourVPN
 dhcp-server 192.168.1.1
tunnel-group ourVPN ipsec-attributes
 pre-shared-key *
tunnel-group Remote.STATIC.IP type ipsec-l2l
tunnel-group Remote.STATIC.IP ipsec-attributes
 pre-shared-key *
smtp-server 192.168.1.1
prompt hostname context 
Cryptochecksum:12073197c1a3630bf5a62760b8b2656a
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

Open in new window

0
Comment
Question by:bradibutler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 14

Accepted Solution

by:
anoopkmr earned 2000 total points
ID: 33605604
i hope you dont want vpn client  to use proxy server for browsing.......

so try like this

no access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.224
same-security-traffic permit intra-interface
access-list outside_nat extended permit ip 10.10.10.0 255.255.255.0 any
nat (outside) 1 access-list outside_nat

0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 33605917
As per my understanding you can any of two method given below:

1) You will have to setup a Proxy server in your location and make an acl entry for your VPN User to access the proxy server for internet access. You will have to disable the split tunneling feature to disallow VPN users to use their local internet connections while they are connected to VPN.

2) You can make an access list which enables the user to access internet connection of cisco asa.
just make an access list entry for vpn users to access the internet.

access-list vpn extended permit ip x.x.x.x x.x.x.x any

and disable split tunneling.

Let me know if it solves the purpose.
 
0
 

Author Comment

by:bradibutler
ID: 33606153
I do want to disable split tunneling and use the ASA as a gateway to share Internet access to the web. I don't intend on using a proxy. I know there is a lot of overhead this way but we only have about 5 VPN users.

So which of the commands would I use to accomplish this?

Thanks for your replies.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 14

Expert Comment

by:anoopkmr
ID: 33606545
can u try my comments
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 33606748
If this is the case ...you can try my second option...and see if that works...
0
 

Author Comment

by:bradibutler
ID: 33607966
To anoopkmr:

I just tried your solution and it worked. However split-tunnelling is still enabled as I can still access local resources on the network (Ex. I can still see the other computers on this network if I browse for them). Is this normal or can I disable that to make it more secure?)
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33620871
coz those computers are on ur conected network ( local lan) , it is nor mal. but for anything to outside ur LAN will traverse via tunnel.
0
 

Author Comment

by:bradibutler
ID: 33621515
Thanks!
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question