Link to home
Create AccountLog in
Avatar of jpletcher1
jpletcher1Flag for United States of America

asked on

Cisco ASA with client VPN connections NAT issues

I have a Cisco ASA 5510 firewall that has been acting only as a firewall up until now.  I'm trying to set it up so that clients can connect remotely with a software VPN client on their laptop.  I have it all working up through the client VPNs connecting back, authenticating, and they can access internal resources.  The problem is they can't get to the Internet.  I am tunneling everything through (no split tunnels).  I believe it to be a NAT issue because if I enter these commands then it works:

same-security-traffic permit intra-interface
nat (EXTERNAL) 1 10.10.10.0 255.255.255.0

Here I use 10.10.10.0 as the network I'm using for my VPN network.

So once I do this, everything works.. but...  I notice that the VPN clients then are not filtered by our content filtering device that the internal people are filtered by.  It's like when I have it setup with the commands above it knows how to go to the Internet without passing through the way that everything else does.  Our content filtering device is a passthrough device, not a proxy, and it just acts as a bridge between our internal network and the firewall.

I need to make sure the VPN clients that connect up go through the same content filtering that the internal people currently do.
Avatar of MikeKane
MikeKane
Flag of United States of America image

What is the content filtering device?    How is it connected and setup?  

Avatar of Motaba
Motaba

If your filtering device is between ASA and internal network, then you need to route VPN clients to Internal network.
One solution is proxy located on Internal network. All VPN users hae to use this proxy, so traffic goes from VPN users to Internal and back to Internet through filtering device.
Second option is some kind of routing. I do not know if it is working, but you need set on ASA route rule like this "route any from VPN to any through (some router in Internal network)".
Avatar of jpletcher1

ASKER

The content filtering device is actually a SonicWall NSA device that is only used for content filtering.  It is plugged in transparently so that anything internally passing from the inside network to the firewall must traverse through it.  I assume the VPN clients are getting around this when I do the NAT entry I listed above.  

I'm not sure how to make sure the VPN traffic destined for the Internet passes through the inside network and through the filtering device as if it was an internal end client.
I should also say, we currently have remove VPN clients connecting in through an actual Cisco VPN concentrator, and that works fine since coming in on the concentrator they have to pass through the internal network to get out to the firewall.  My goal is to transfer the VPN role from the concentrator to the firewall.  Since now in my new method the firewall is the entry and exit point, I have this problem.
SOLUTION
Avatar of Motaba
Motaba

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Shoot, that was what I was afraid of.  Thanks for the information guys.
An update on this...  Cisco figured out how to force my traffic coming in from the remote site ASA destined for the Internet to still come into the local network first (not hit the central firewall and head straight for the Internet).  They put in a "tunnel" route that forces all traffic coming into the central ASA to be routed to our internal layer 3 switch, and from there it goes back out to the Internet.  I was glad that this worked, but now our content filter won't filter the traffic because it is originating from the external interface of the content filter and not the inside interface.