Cisco ASA Remote Access VPN and Internet access
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
Hi Folks,
Previously we were using a PIX for internet access and a VPN3K for remote access clients, with no split tunneling. Internet access while VPN'd in wasn't a problem. As part of a project to replace them both with an ASA I've recently started testing remote access VPNs on the ASA (Internet and Site-Site works perfectly). Clients can connect and access private resource no problem but cannot access the net at the same time. I have enabled Inter and Intra interface traffic (I believe that 7.0 and 7.1 only allowed this with Ipsec traffic but 7.2 applied the rules to all traffic, we are running 7.2(3)), but no joy.
Besides moving to one integrated box I also tried something new in using a separate subnet for the VPN clients (they previously shared about 25 addresses from our main subnet range). After seeing a number of configs that have used subnets that have no physical interface on the PIX/ASA I decided to give that a go (If that's not clear say I have 100.100.100.1 as the outside and 10.10.10.1/24 as the inside, I'm using 10.10.11.0/24 for the VPN pool with our routers sending all 10.10.11.0/24 traffic to 10.10.10.1/24) and as I said it works fine for private traffic.
I'm beginning to think NAT may be an issue. Since the VPN clients are on the Outside interface that subnet is part of our NAT-0 rule for all VPN traffic. My access-list for NAT is specific though in only specifying from private subnets to that range.
So, feel free to tell me I've done something stupid. It's not a killer to not have internet access, imho they shouldn't be using it when VPN'd in anyway but I know there will be complaints from users well above my paygrade that may cause a few headaches I'd like to avoid (and no I will never split-tunnel).
Previously we were using a PIX for internet access and a VPN3K for remote access clients, with no split tunneling. Internet access while VPN'd in wasn't a problem. As part of a project to replace them both with an ASA I've recently started testing remote access VPNs on the ASA (Internet and Site-Site works perfectly). Clients can connect and access private resource no problem but cannot access the net at the same time. I have enabled Inter and Intra interface traffic (I believe that 7.0 and 7.1 only allowed this with Ipsec traffic but 7.2 applied the rules to all traffic, we are running 7.2(3)), but no joy.
Besides moving to one integrated box I also tried something new in using a separate subnet for the VPN clients (they previously shared about 25 addresses from our main subnet range). After seeing a number of configs that have used subnets that have no physical interface on the PIX/ASA I decided to give that a go (If that's not clear say I have 100.100.100.1 as the outside and 10.10.10.1/24 as the inside, I'm using 10.10.11.0/24 for the VPN pool with our routers sending all 10.10.11.0/24 traffic to 10.10.10.1/24) and as I said it works fine for private traffic.
I'm beginning to think NAT may be an issue. Since the VPN clients are on the Outside interface that subnet is part of our NAT-0 rule for all VPN traffic. My access-list for NAT is specific though in only specifying from private subnets to that range.
So, feel free to tell me I've done something stupid. It's not a killer to not have internet access, imho they shouldn't be using it when VPN'd in anyway but I know there will be complaints from users well above my paygrade that may cause a few headaches I'd like to avoid (and no I will never split-tunnel).
We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Comments
-
crazy_jay Member Posts: 7 ■□□□□□□□□□Have you tried doing something like this? If your vpn pool is 10.10.11.0/24, then you need to include the following to allow internet traffic.
same-security-traffic permit intra-interface
nat(outside) 1 10.10.11.0 255.255.255.0
global(outside) 1 <external ip> -
Ahriakin Member Posts: 1,799 ■■■■■■■■□□Hey, sorry for not replying earlier and this won't be much of a post either, had to sit the LPI-102 today and was tied up prepping (and tonight celebrating ). Thanks for the response, I appreciate it and I'll give it a go this weekend if I can.
Cheers.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
Ahriakin Member Posts: 1,799 ■■■■■■■■□□Righty. Finally got around to testing it and since I'm writing this from inside the VPN tunnel all i can say is thanks crazy_jay. All my previous remote access VPN clients had been on concentrators which made it kinda easy. Site-to-Sites were no problem to move to the ASA since it was all 'real' subnets. I had the Same traffic permitted previously but while I figured it was translation related since it was a virtual subnet inside the ASA without any physical interface I just couldn't work out which interface to base the translations on, it never even occurred to me to translate an outside terminating VPN pool to an outside address. You learn something new everyday.
Now I can turn off that VPN3K at work and add it to my Lab
Thanks again.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?