Link to home
Start Free TrialLog in
Avatar of pzeitham
pzeitham

asked on

ASA 5505 Internet access while using client VPN

Hello Experts...

After some looking around, I have discovered I need to turn on "hair-pinning" on my ASA 5505 by using command "same-security-traffic permit intra-interface".  Apparently, I am not understanding the full concept of this command.  After I enter that command, I still do not the ability to access the Internet while I have a VPN session running.  My guess is I need more commands.

Could someone help me figure this out?

Thanks so much!!
Avatar of TechFlyer
TechFlyer

Are you looking to have your entire internet connection run through your VPN or do you only want to access the network resources sitting behind the ASA?

If you only want to access the network resources you can do a split tunnel.
Hair-pinning is to allow access from behind the firewall access to other resources behind the firewall using outside or public DNS name rather than internal name.

Here is some information regarding this:
http://ckdake.com/content/2009/hairpinning-with-a-cisco-asa.html

What I hear you saying is that you have no Internet access via your VPN connection while connected to your ASA. Basically, you have two choices. One is to setup split tunneling, whereby you have access only to "internal" resources (those behind the firewall) via the tunnel adapter and all other access is sent via the external adapter. The other option is to setup the routing on the ASA to allow access from the VPN connected devices to the Internet.

Each is a reasonable choice, but each with their reasons to allow and not to allow. Having split tunneling allows users access to the Internet locally from their computer, but eliminates the ability to "fully" control their access as well. For many companies, this would be a breach in security. One reason to allow this is the offload of user Internet bound traffic from coming through the tunnels. Think of it as double the traffic for each call to the Internet.

Split tunneling basically is setup in the group policy and define the networks available to the VPN clients via the tunnel. (i.e. your internal network)
Avatar of fgasimzade
Can you post your sanitized config?
The question is:
Do you want to access the internet through the clients internet connection (when the VPN is active).
Or
Do you want the client to use the ASA's internet connection (when the VPN is active)?
Avatar of pzeitham

ASKER

I am looking for the client to have Internet access while VPN is active.

After doing more looking, I found I need to do split tunneling.  So the encrypted traffic will go to my local networks of 192.168.XXX.XXX and 10.XXX.XXX.XXX and everything else will be sent to the Internet unencrypted.  I have not been able to find the right commands yet.

Thanks!

My config is attached.
ASA-running-config-with-VPN-2012.txt
ASKER CERTIFIED SOLUTION
Avatar of TechFlyer
TechFlyer

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Got it.  Thanks!!