Solved

Cisco AnyConnect Tunnel Question

Posted on 2011-03-21
13
721 Views
Last Modified: 2012-05-11
I have a Cisco ASA 5510 configured with AnyConnect VPN that tunnels only our internal networks.

We have a remote webfarm that hosts a development instance of our websites that can only be accessed by public IP which is controlled by an ACL to prevent search engines from crawling our development sites.  Our ASA has a global outside IP that is allowed in the development ACL.  When our VPN clients connect since all public networks are split from the VPN tunnel when they attempt to connect to the development sites they're denied by the ACL since their IP is unknown.  

I would like to tunnel this public network through the VPN while still splitting all other traffic to their own i-net connections.  Guru help please!

Thanks in advance!
0
Comment
Question by:nathanspowell
  • 6
  • 5
  • 2
13 Comments
 
LVL 7

Expert Comment

by:TheTull
ID: 35182420
Sounds to me like you want to setup a split-tunnel so that traffic from VPN users destined to the remote webfarm will get passed through your corporate firewall and not through the user's own Internet connection.

Have you tried setting up split-tunnling on the ASA, which, in a nutshell, has you setup an ACL that permits traffic to the webfarm, which then has the result of setting up a route in the local routing table of the client's PC so that traffic so that IP gets sent to the ASA and not out the user's ISP.  

Here is a good Cisco page on setting up split-tunneling:  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml

Keep in mind there are risks involved with split-tunneling, which are described here: http://www.cisco.com/web/about/security/intelligence/05_08_SSL-VPN-Security.html
0
 

Author Comment

by:nathanspowell
ID: 35182859
I have setup a split tunnel for that network on the VPN profile.  However, when the vpn is established now it just kills all connectivity to that subnet.  Something is missing.

Here are a few more config details.

Tunnel
VPN <-> Internal subnets (Nat exemptions) Works fine
VPN <-> External public subnet (No Nat exemptions) doesn't work

Inside network 10.10.10.0/24
VPN network 10.10.1.0/24

global (outside) 10 interface
0
 
LVL 7

Expert Comment

by:TheTull
ID: 35182946
Can you confirm if the VPN traffic is NATing to the external interface once it leaves the firewall to get to the webfarm, or, better yet, is the ASA attempting to route the VPN traffic out the external interface at all?
0
 

Author Comment

by:nathanspowell
ID: 35183037
Translation doesn't appear to be happening.  When I try to hit the webfarm from a VPN client I do a show xlate on the ASA and I don't see any translations for the 10.10.1 vpn subnet in the list.  If there's another way I should check this let me know.
0
 
LVL 7

Expert Comment

by:TheTull
ID: 35183144
I'm guessing you have to setup a NAT entry for the VPN traffic when it's leaving the outside interface, and also "allow" it to come in and out the same interface, so like this:

asa(config)# same-security-traffic permit intra-interface
asa(config)# global (outside) 1 interface (you may already have this line entered)
asa(config)# nat (outside) 1 10.10.1.0 255.255.255.0

I haven't run that config before, so I would make sure you can test it OK without screwing anything up, which you should be able to really, so long as you have local access to the ASA.  
0
 

Author Comment

by:nathanspowell
ID: 35183404
asa(config)# same-security-traffic permit intra-interface
asa(config)# global (outside) 1 interface (you may already have this line entered)

were both already on our ASA.

asa(config)# nat (outside) 1 10.10.1.0 255.255.255.0

I added, and disconnected/reconnected the VPN.  Still have the same issue, websites not pulling via the tunnel and no xlates for 10.10.1.x on the ASA.

I've attached a sterilized copy of the config.
corp-current-sterile.txt
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 33

Expert Comment

by:MikeKane
ID: 35183565
What are the IP ranges of the remote webfarm?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 35183594
ACtually, probably better you don't specify.      But whatever those ranges are, you need to include them in the split tunnel ACL so that those ranges also get swept into the tunnel from client to HQ, and then outbound using the HQ external interface...  


Either that or just remove the split tunnel all together....
0
 

Author Comment

by:nathanspowell
ID: 35183619
@MikeKane

I'm not providing the specific IP range on a public forum, but lets call it:

201.201.201.0 / 24

I can decypher any instruction into the actual IP range on my end.

In case your asking in regard to the config I attached and the current split...
The last line in this sections represents the remote network.

access-list SSL_Split standard permit 10.10.10.0 255.255.255.0
access-list SSL_Split standard permit 10.10.30.0 255.255.255.0
access-list SSL_Split standard permit 10.10.70.0 255.255.255.0
access-list SSL_Split standard permit 10.10.92.0 255.255.255.0
access-list SSL_Split standard permit 10.10.48.0 255.255.248.0
access-list SSL_Split standard permit 10.10.40.0 255.255.255.0
access-list SSL_Split standard permit 10.10.20.0 255.255.255.0
access-list SSL_Split standard permit 10.10.115.0 255.255.255.0
access-list SSL_Split standard permit 10.0.0.0 255.255.0.0
access-list SSL_Split standard permit 10.10.60.0 255.255.254.0
access-list SSL_Split standard permit 10.100.1.0 255.255.255.0
access-list SSL_Split standard permit 201.201.201.0 255.255.255.0
0
 

Author Comment

by:nathanspowell
ID: 35183638
The range is in the split.  I don't want to remove the split as I would prefer all i-net bound traffic except this range use the clients connection.
0
 
LVL 7

Accepted Solution

by:
TheTull earned 500 total points
ID: 35183640
Change your config line from

asa(config)# nat (outside) 1 10.10.1.0 255.255.255.0

to

asa(config)# nat (outside) 10 10.10.1.0 255.255.255.0

The "nat" group needs to match the global group, and the global is using "10" while the nat is using "1"
0
 

Author Closing Comment

by:nathanspowell
ID: 35183654
You sir are correct, it's a beautiful thing!

Thanks!
0
 
LVL 7

Expert Comment

by:TheTull
ID: 35183678
Cool!  Glad I could help :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SD - WAN 2 43
WAN Site Edge Routers 15 49
Looking for good easy switch for lab at home. 13 83
DHCP Server 14 62
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now