ASA 5505 Internet access while using client VPN

Posted on 2012-09-09
Last Modified: 2012-09-10
Hello Experts...

After some looking around, I have discovered I need to turn on "hair-pinning" on my ASA 5505 by using command "same-security-traffic permit intra-interface".  Apparently, I am not understanding the full concept of this command.  After I enter that command, I still do not the ability to access the Internet while I have a VPN session running.  My guess is I need more commands.

Could someone help me figure this out?

Thanks so much!!
Question by:pzeitham
    LVL 1

    Expert Comment

    Are you looking to have your entire internet connection run through your VPN or do you only want to access the network resources sitting behind the ASA?

    If you only want to access the network resources you can do a split tunnel.
    LVL 3

    Expert Comment

    Hair-pinning is to allow access from behind the firewall access to other resources behind the firewall using outside or public DNS name rather than internal name.

    Here is some information regarding this:

    What I hear you saying is that you have no Internet access via your VPN connection while connected to your ASA. Basically, you have two choices. One is to setup split tunneling, whereby you have access only to "internal" resources (those behind the firewall) via the tunnel adapter and all other access is sent via the external adapter. The other option is to setup the routing on the ASA to allow access from the VPN connected devices to the Internet.

    Each is a reasonable choice, but each with their reasons to allow and not to allow. Having split tunneling allows users access to the Internet locally from their computer, but eliminates the ability to "fully" control their access as well. For many companies, this would be a breach in security. One reason to allow this is the offload of user Internet bound traffic from coming through the tunnels. Think of it as double the traffic for each call to the Internet.

    Split tunneling basically is setup in the group policy and define the networks available to the VPN clients via the tunnel. (i.e. your internal network)
    LVL 18

    Expert Comment

    Can you post your sanitized config?
    LVL 35

    Expert Comment

    by:Ernie Beek
    The question is:
    Do you want to access the internet through the clients internet connection (when the VPN is active).
    Do you want the client to use the ASA's internet connection (when the VPN is active)?

    Author Comment

    I am looking for the client to have Internet access while VPN is active.

    After doing more looking, I found I need to do split tunneling.  So the encrypted traffic will go to my local networks of 192.168.XXX.XXX and 10.XXX.XXX.XXX and everything else will be sent to the Internet unencrypted.  I have not been able to find the right commands yet.


    My config is attached.
    LVL 1

    Accepted Solution

    Split Tunneling for VPN Clients on the ASA Configuration Example

    here is the setup from Cisco. Has both the ASDM or CLI setup.

    Author Comment

    Got it.  Thanks!!

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now