[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 788
  • Last Modified:

ASA 5505 Internet access while using client VPN

Hello Experts...

After some looking around, I have discovered I need to turn on "hair-pinning" on my ASA 5505 by using command "same-security-traffic permit intra-interface".  Apparently, I am not understanding the full concept of this command.  After I enter that command, I still do not the ability to access the Internet while I have a VPN session running.  My guess is I need more commands.

Could someone help me figure this out?

Thanks so much!!
0
pzeitham
Asked:
pzeitham
1 Solution
 
TechFlyerCommented:
Are you looking to have your entire internet connection run through your VPN or do you only want to access the network resources sitting behind the ASA?

If you only want to access the network resources you can do a split tunnel.
0
 
Heritage02RiderCommented:
Hair-pinning is to allow access from behind the firewall access to other resources behind the firewall using outside or public DNS name rather than internal name.

Here is some information regarding this:
http://ckdake.com/content/2009/hairpinning-with-a-cisco-asa.html

What I hear you saying is that you have no Internet access via your VPN connection while connected to your ASA. Basically, you have two choices. One is to setup split tunneling, whereby you have access only to "internal" resources (those behind the firewall) via the tunnel adapter and all other access is sent via the external adapter. The other option is to setup the routing on the ASA to allow access from the VPN connected devices to the Internet.

Each is a reasonable choice, but each with their reasons to allow and not to allow. Having split tunneling allows users access to the Internet locally from their computer, but eliminates the ability to "fully" control their access as well. For many companies, this would be a breach in security. One reason to allow this is the offload of user Internet bound traffic from coming through the tunnels. Think of it as double the traffic for each call to the Internet.

Split tunneling basically is setup in the group policy and define the networks available to the VPN clients via the tunnel. (i.e. your internal network)
0
 
fgasimzadeCommented:
Can you post your sanitized config?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Ernie BeekCommented:
The question is:
Do you want to access the internet through the clients internet connection (when the VPN is active).
Or
Do you want the client to use the ASA's internet connection (when the VPN is active)?
0
 
pzeithamAuthor Commented:
I am looking for the client to have Internet access while VPN is active.

After doing more looking, I found I need to do split tunneling.  So the encrypted traffic will go to my local networks of 192.168.XXX.XXX and 10.XXX.XXX.XXX and everything else will be sent to the Internet unencrypted.  I have not been able to find the right commands yet.

Thanks!

My config is attached.
ASA-running-config-with-VPN-2012.txt
0
 
TechFlyerCommented:
Split Tunneling for VPN Clients on the ASA Configuration Example

here is the setup from Cisco. Has both the ASDM or CLI setup.
0
 
pzeithamAuthor Commented:
Got it.  Thanks!!
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now