Avatar of Axis52401
Axis52401
Flag for United States of America asked on

defining interesting vpn traffic

I need assistance with defining interesting vpn traffic. I am using an ipsec remote access vpn with an asa 5510 and the cisco vpn client. I have split tunneling configured to define interesting traffic as anything on the local subnet of the asa. All non-interesting aka internet traffic gets routed through the ISP of the remote user.

However, I now have a new requirement where a specific 3rd party website must also be considered interesting traffic and tunneled through the vpn. The 3rd party website has IP address restrictions and I need a way for my vpn users to access the website without tunneling everything across the vpn.

I would prefer to not use terminal services and to not setup static routes on the remote users but I cant figure out a way to accomplish this via the asa. If anyone has any suggestions on how this can be done on the asa I would greatly appreciate it. Also, if it can't be done via the asa, is a static route on the hosts my only option?  Thank you.
CiscoVPNInternet Protocol Security

Avatar of undefined
Last Comment
Axis52401

8/22/2022 - Mon
asavener

You should have an access list that defines the split tunnel traffic.  Just add the website IP to that ACL.
Axis52401

ASKER
Ok I'll try that and I'll let you know. Thanks.
Axis52401

ASKER
I added the website IP to the ACL that controls the split tunneling but it's still not working. Any other thoughts?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
asavener

You might have to reset the VPN system to get the change to take effect.

First, try clear crypto ipsec sa to clear all active connections.  If that doesn't work, try removing and re-adding the crypto map to the outside interface.
Axis52401

ASKER
I cleared the active connections, removed the crypto map and added it back in. None of that worked. I even tried to tunnel all traffic but that doesn't work either. I could still access network resources but not the web. I confirmed that I have a dynamic nat entry for outgoing VPN connections but the Internet still didn't work I just don't get it. The split tunneling works for internal resources but still doesn't work for the external website. I really thought the tunnel all option would solve it but that didn't work either. At this point I would rather just tunnel everything and work on that instead of trying to tunnel this single external site. Unless you don't have anything else for me to try I'll close this question and re-open it regarding the tunnel everything and not being able to access the internet.
ASKER CERTIFIED SOLUTION
asavener

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Axis52401

ASKER
thank you for suggestion on hairpinning. I'll research that but I am running 8.2.5. I have more RAM ordered which is currently what is keeping me from upgrading to newer version. Could we still implement a NAT rule for this version?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
asavener

I've done it on 8.2 and older, as well as 8.4 and newer.  It's just a matter of implementing the right commands.

First, try adding this command:

same-security-traffic permit intra-interface
asavener

Also, can you post the configuration commands that start with "global" and "nat"?  Suitably edited to preserve security, of course.
Axis52401

ASKER
Ok so I got it to finally work. Taking your advice on the 'hairpinning' I started researching it and that's when I noticed that I did not have any dynamic NAT policies for the outside interface. I use sub interfaces exclusively for vlan purposes. I did have dynamic NAT policies for my sub interfaces to get to the public Internet but that was it.

I needed the dynamic NAT rules for traffic that didn't originate behind the firewall, aka VPN traffic. I have always used split tunneling to force regular http traffic out the local ISP and not tunnel it across the VPN. So thats probably why I never noticed this before.

So I then added a dynamic NAT on the outside interface for the range of IP's used on the VPN tunnel and now its working. The tunnel still only send's interesting traffic across the VPN while regular http traffic is not tunneled. i am awarding the points to asavener as his recommendations lead me toward the ultimate resolution
Your help has saved me hundreds of hours of internet surfing.
fblack61