Solved

Cisco VPN - Unable to browse Internet once connected to Internet

Posted on 2010-09-04
8
1,062 Views
Last Modified: 2012-05-10
I know most are thinking "enable split tunnelling" when they read the title, and perhaps that's what I ultimately have to do. But I want to force the client to use the remote gateway (ASA 5505) to access the Internet once connected, for security reasons. I know there are performance issues with that but I don't want a system being open to access while connected to our VPN. In a nutshell, I want the VPN client to be able to still access Internet resources while connected, but by the most secure means even if it's sacrificing performance.

Here's our set up:

DSL - ASA 5505 - SBS 2008 (192.168.1.25) Server which acts as a DNS as well


: Saved

:

ASA Version 8.0(2) 

!

hostname ASA5505

domain-name domain.local

enable password O/4va7NOU8F5vh4C encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address OUR.STATIC.IP 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone NST -3 30

clock summer-time NDT recurring 1 Sun Apr 0:01 last Sun Oct 0:01

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 192.168.1.25

 name-server ISP.PROVIDED.DNS

 domain-name domain.local

same-security-traffic permit intra-interface

object-group service MobileAdmin tcp

 port-object eq 4055

object-group service pop3-SSL tcp

 description POP3 over SSL

 port-object eq 995

object-group service IMAP-SSL tcp

 description IMAP SSL Access

 port-object eq 993

object-group service RemoteWSS tcp

 description Remote access for SharePoint through RWW

 port-object eq 987

access-list outside-in extended permit tcp any interface outside eq https 

access-list outside-in extended permit tcp any interface outside object-group pop3-SSL 

access-list outside-in extended permit tcp any interface outside eq smtp 

access-list outside-in extended permit tcp any interface outside eq 4125 

access-list outside-in remark MobileAdmin

access-list outside-in extended permit tcp any interface outside eq 4055 

access-list outside-in extended permit tcp any interface outside eq 3389 inactive 

access-list outside-in extended permit tcp any interface outside object-group IMAP-SSL 

access-list outside-in extended permit tcp any interface outside object-group RemoteWSS 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.224 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list vpn_splitTunnelAcl_1 standard permit any 

access-list VPN_splitTunnelAcl standard permit any 

access-list outside_nat extended permit ip 10.10.10.0 255.255.255.0 any 

access-list out_nat0 extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

logging from-address my@email.com

logging recipient-address my@email.com level errors

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 10.10.10.2-10.10.10.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list out_nat0 outside

static (inside,outside) tcp interface https 192.168.1.25 https netmask 255.255.255.255 

static (inside,outside) tcp interface smtp 192.168.1.25 smtp netmask 255.255.255.255 

static (inside,outside) tcp interface 4125 192.168.1.25 4125 netmask 255.255.255.255 

static (inside,outside) tcp interface 4055 192.168.1.35 4055 netmask 255.255.255.255 

static (inside,outside) tcp interface 3389 192.168.1.25 3389 netmask 255.255.255.255 

static (inside,outside) tcp interface 995 192.168.1.10 995 netmask 255.255.255.255 

static (inside,outside) tcp interface 993 192.168.1.10 993 netmask 255.255.255.255 

static (inside,outside) tcp interface 987 192.168.1.25 987 netmask 255.255.255.255 

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 ISP.PROVIDED.GATEWAY 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server Administration protocol radius

aaa-server Administration host 192.168.1.35

 timeout 5

 key *******

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map system-default-crypto-map 20 set pfs 

crypto dynamic-map system-default-crypto-map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs 

crypto map outside_map 1 set peer REMOTE.SITE.VPN.IP 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic system-default-crypto-map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.150 inside

dhcpd dns 192.168.1.25 ISP.PROVIDED.DNS interface inside

dhcpd wins 192.168.1.25 interface inside

dhcpd lease 604800 interface inside

dhcpd ping_timeout 500 interface inside

dhcpd domain domain.local interface inside

!



threat-detection basic-threat

threat-detection statistics

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 1024

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

webvpn

 enable outside

group-policy DfltGrpPolicy attributes

 wins-server value 192.168.1.10

 dns-server value 192.168.1.10 ISP.PROVIDED.DNS

 default-domain value domain

 address-pools value vpnpool

group-policy ourVPN internal

group-policy ourVPN attributes

 wins-server value 192.168.1.25

 dns-server value 192.168.1.25 ISP.PROVIDED.DNS

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 split-tunnel-policy tunnelall

 default-domain value domain.local

username username password xcWpz0jIlO9W.qkb encrypted

username username attributes

 vpn-group-policy ourVPN

 vpn-filter value outside_nat

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

tunnel-group ourVPN type remote-access

tunnel-group ourVPN general-attributes

 address-pool vpnpool

 authentication-server-group Administration LOCAL

 default-group-policy ourVPN

 dhcp-server 192.168.1.1

tunnel-group ourVPN ipsec-attributes

 pre-shared-key *

tunnel-group Remote.STATIC.IP type ipsec-l2l

tunnel-group Remote.STATIC.IP ipsec-attributes

 pre-shared-key *

smtp-server 192.168.1.1

prompt hostname context 

Cryptochecksum:12073197c1a3630bf5a62760b8b2656a

: end

asdm image disk0:/asdm-602.bin

no asdm history enable

Open in new window

0
Comment
Question by:bradibutler
  • 3
  • 3
  • 2
8 Comments
 
LVL 14

Accepted Solution

by:
anoopkmr earned 500 total points
Comment Utility
i hope you dont want vpn client  to use proxy server for browsing.......

so try like this

no access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.224
same-security-traffic permit intra-interface
access-list outside_nat extended permit ip 10.10.10.0 255.255.255.0 any
nat (outside) 1 access-list outside_nat

0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
Comment Utility
As per my understanding you can any of two method given below:

1) You will have to setup a Proxy server in your location and make an acl entry for your VPN User to access the proxy server for internet access. You will have to disable the split tunneling feature to disallow VPN users to use their local internet connections while they are connected to VPN.

2) You can make an access list which enables the user to access internet connection of cisco asa.
just make an access list entry for vpn users to access the internet.

access-list vpn extended permit ip x.x.x.x x.x.x.x any

and disable split tunneling.

Let me know if it solves the purpose.
 
0
 

Author Comment

by:bradibutler
Comment Utility
I do want to disable split tunneling and use the ASA as a gateway to share Internet access to the web. I don't intend on using a proxy. I know there is a lot of overhead this way but we only have about 5 VPN users.

So which of the commands would I use to accomplish this?

Thanks for your replies.
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
can u try my comments
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
Comment Utility
If this is the case ...you can try my second option...and see if that works...
0
 

Author Comment

by:bradibutler
Comment Utility
To anoopkmr:

I just tried your solution and it worked. However split-tunnelling is still enabled as I can still access local resources on the network (Ex. I can still see the other computers on this network if I browse for them). Is this normal or can I disable that to make it more secure?)
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
coz those computers are on ur conected network ( local lan) , it is nor mal. but for anything to outside ur LAN will traverse via tunnel.
0
 

Author Comment

by:bradibutler
Comment Utility
Thanks!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now