We help IT Professionals succeed at work.

defining interesting vpn traffic

929 Views
Last Modified: 2014-05-23
I need assistance with defining interesting vpn traffic. I am using an ipsec remote access vpn with an asa 5510 and the cisco vpn client. I have split tunneling configured to define interesting traffic as anything on the local subnet of the asa. All non-interesting aka internet traffic gets routed through the ISP of the remote user.

However, I now have a new requirement where a specific 3rd party website must also be considered interesting traffic and tunneled through the vpn. The 3rd party website has IP address restrictions and I need a way for my vpn users to access the website without tunneling everything across the vpn.

I would prefer to not use terminal services and to not setup static routes on the remote users but I cant figure out a way to accomplish this via the asa. If anyone has any suggestions on how this can be done on the asa I would greatly appreciate it. Also, if it can't be done via the asa, is a static route on the hosts my only option?  Thank you.
Comment
Watch Question

CERTIFIED EXPERT

Commented:
You should have an access list that defines the split tunnel traffic.  Just add the website IP to that ACL.
Axis52401Security Analyst

Author

Commented:
Ok I'll try that and I'll let you know. Thanks.
Axis52401Security Analyst

Author

Commented:
I added the website IP to the ACL that controls the split tunneling but it's still not working. Any other thoughts?
CERTIFIED EXPERT

Commented:
You might have to reset the VPN system to get the change to take effect.

First, try clear crypto ipsec sa to clear all active connections.  If that doesn't work, try removing and re-adding the crypto map to the outside interface.
Axis52401Security Analyst

Author

Commented:
I cleared the active connections, removed the crypto map and added it back in. None of that worked. I even tried to tunnel all traffic but that doesn't work either. I could still access network resources but not the web. I confirmed that I have a dynamic nat entry for outgoing VPN connections but the Internet still didn't work I just don't get it. The split tunneling works for internal resources but still doesn't work for the external website. I really thought the tunnel all option would solve it but that didn't work either. At this point I would rather just tunnel everything and work on that instead of trying to tunnel this single external site. Unless you don't have anything else for me to try I'll close this question and re-open it regarding the tunnel everything and not being able to access the internet.
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Axis52401Security Analyst

Author

Commented:
thank you for suggestion on hairpinning. I'll research that but I am running 8.2.5. I have more RAM ordered which is currently what is keeping me from upgrading to newer version. Could we still implement a NAT rule for this version?
CERTIFIED EXPERT

Commented:
I've done it on 8.2 and older, as well as 8.4 and newer.  It's just a matter of implementing the right commands.

First, try adding this command:

same-security-traffic permit intra-interface
CERTIFIED EXPERT

Commented:
Also, can you post the configuration commands that start with "global" and "nat"?  Suitably edited to preserve security, of course.
Axis52401Security Analyst

Author

Commented:
Ok so I got it to finally work. Taking your advice on the 'hairpinning' I started researching it and that's when I noticed that I did not have any dynamic NAT policies for the outside interface. I use sub interfaces exclusively for vlan purposes. I did have dynamic NAT policies for my sub interfaces to get to the public Internet but that was it.

I needed the dynamic NAT rules for traffic that didn't originate behind the firewall, aka VPN traffic. I have always used split tunneling to force regular http traffic out the local ISP and not tunnel it across the VPN. So thats probably why I never noticed this before.

So I then added a dynamic NAT on the outside interface for the range of IP's used on the VPN tunnel and now its working. The tunnel still only send's interesting traffic across the VPN while regular http traffic is not tunneled. i am awarding the points to asavener as his recommendations lead me toward the ultimate resolution
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.