defining interesting vpn traffic
I need assistance with defining interesting vpn traffic. I am using an ipsec remote access vpn with an asa 5510 and the cisco vpn client. I have split tunneling configured to define interesting traffic as anything on the local subnet of the asa. All non-interesting aka internet traffic gets routed through the ISP of the remote user.
However, I now have a new requirement where a specific 3rd party website must also be considered interesting traffic and tunneled through the vpn. The 3rd party website has IP address restrictions and I need a way for my vpn users to access the website without tunneling everything across the vpn.
I would prefer to not use terminal services and to not setup static routes on the remote users but I cant figure out a way to accomplish this via the asa. If anyone has any suggestions on how this can be done on the asa I would greatly appreciate it. Also, if it can't be done via the asa, is a static route on the hosts my only option? Thank you.
However, I now have a new requirement where a specific 3rd party website must also be considered interesting traffic and tunneled through the vpn. The 3rd party website has IP address restrictions and I need a way for my vpn users to access the website without tunneling everything across the vpn.
I would prefer to not use terminal services and to not setup static routes on the remote users but I cant figure out a way to accomplish this via the asa. If anyone has any suggestions on how this can be done on the asa I would greatly appreciate it. Also, if it can't be done via the asa, is a static route on the hosts my only option? Thank you.
asavener
You should have an access list that defines the split tunnel traffic. Just add the website IP to that ACL.
ASKER
Ok I'll try that and I'll let you know. Thanks.
ASKER
I added the website IP to the ACL that controls the split tunneling but it's still not working. Any other thoughts?
You might have to reset the VPN system to get the change to take effect.
First, try clear crypto ipsec sa to clear all active connections. If that doesn't work, try removing and re-adding the crypto map to the outside interface.
First, try clear crypto ipsec sa to clear all active connections. If that doesn't work, try removing and re-adding the crypto map to the outside interface.
ASKER
I cleared the active connections, removed the crypto map and added it back in. None of that worked. I even tried to tunnel all traffic but that doesn't work either. I could still access network resources but not the web. I confirmed that I have a dynamic nat entry for outgoing VPN connections but the Internet still didn't work I just don't get it. The split tunneling works for internal resources but still doesn't work for the external website. I really thought the tunnel all option would solve it but that didn't work either. At this point I would rather just tunnel everything and work on that instead of trying to tunnel this single external site. Unless you don't have anything else for me to try I'll close this question and re-open it regarding the tunnel everything and not being able to access the internet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you for suggestion on hairpinning. I'll research that but I am running 8.2.5. I have more RAM ordered which is currently what is keeping me from upgrading to newer version. Could we still implement a NAT rule for this version?
I've done it on 8.2 and older, as well as 8.4 and newer. It's just a matter of implementing the right commands.
First, try adding this command:
same-security-traffic permit intra-interface
First, try adding this command:
same-security-traffic permit intra-interface
Also, can you post the configuration commands that start with "global" and "nat"? Suitably edited to preserve security, of course.
ASKER
Ok so I got it to finally work. Taking your advice on the 'hairpinning' I started researching it and that's when I noticed that I did not have any dynamic NAT policies for the outside interface. I use sub interfaces exclusively for vlan purposes. I did have dynamic NAT policies for my sub interfaces to get to the public Internet but that was it.
I needed the dynamic NAT rules for traffic that didn't originate behind the firewall, aka VPN traffic. I have always used split tunneling to force regular http traffic out the local ISP and not tunnel it across the VPN. So thats probably why I never noticed this before.
So I then added a dynamic NAT on the outside interface for the range of IP's used on the VPN tunnel and now its working. The tunnel still only send's interesting traffic across the VPN while regular http traffic is not tunneled. i am awarding the points to asavener as his recommendations lead me toward the ultimate resolution
I needed the dynamic NAT rules for traffic that didn't originate behind the firewall, aka VPN traffic. I have always used split tunneling to force regular http traffic out the local ISP and not tunnel it across the VPN. So thats probably why I never noticed this before.
So I then added a dynamic NAT on the outside interface for the range of IP's used on the VPN tunnel and now its working. The tunnel still only send's interesting traffic across the VPN while regular http traffic is not tunneled. i am awarding the points to asavener as his recommendations lead me toward the ultimate resolution