Cisco ASA Remote Access VPN and Internet access
Ahriakin
SupremeNetworkOverlordMember Posts: 1,799 ■■■■■■■■□□
Hi Folks,
Previously we were using a PIX for internet access and a VPN3K for remote access clients, with no split tunneling. Internet access while VPN'd in wasn't a problem. As part of a project to replace them both with an ASA I've recently started testing remote access VPNs on the ASA (Internet and Site-Site works perfectly). Clients can connect and access private resource no problem but cannot access the net at the same time. I have enabled Inter and Intra interface traffic (I believe that 7.0 and 7.1 only allowed this with Ipsec traffic but 7.2 applied the rules to all traffic, we are running 7.2(3)), but no joy.
Besides moving to one integrated box I also tried something new in using a separate subnet for the VPN clients (they previously shared about 25 addresses from our main subnet range). After seeing a number of configs that have used subnets that have no physical interface on the PIX/ASA I decided to give that a go (If that's not clear say I have 100.100.100.1 as the outside and 10.10.10.1/24 as the inside, I'm using 10.10.11.0/24 for the VPN pool with our routers sending all 10.10.11.0/24 traffic to 10.10.10.1/24) and as I said it works fine for private traffic.
I'm beginning to think NAT may be an issue. Since the VPN clients are on the Outside interface that subnet is part of our NAT-0 rule for all VPN traffic. My access-list for NAT is specific though in only specifying from private subnets to that range.
So, feel free to tell me I've done something stupid. It's not a killer to not have internet access, imho they shouldn't be using it when VPN'd in anyway but I know there will be complaints from users well above my paygrade that may cause a few headaches I'd like to avoid (and no I will never split-tunnel).
Previously we were using a PIX for internet access and a VPN3K for remote access clients, with no split tunneling. Internet access while VPN'd in wasn't a problem. As part of a project to replace them both with an ASA I've recently started testing remote access VPNs on the ASA (Internet and Site-Site works perfectly). Clients can connect and access private resource no problem but cannot access the net at the same time. I have enabled Inter and Intra interface traffic (I believe that 7.0 and 7.1 only allowed this with Ipsec traffic but 7.2 applied the rules to all traffic, we are running 7.2(3)), but no joy.
Besides moving to one integrated box I also tried something new in using a separate subnet for the VPN clients (they previously shared about 25 addresses from our main subnet range). After seeing a number of configs that have used subnets that have no physical interface on the PIX/ASA I decided to give that a go (If that's not clear say I have 100.100.100.1 as the outside and 10.10.10.1/24 as the inside, I'm using 10.10.11.0/24 for the VPN pool with our routers sending all 10.10.11.0/24 traffic to 10.10.10.1/24) and as I said it works fine for private traffic.
I'm beginning to think NAT may be an issue. Since the VPN clients are on the Outside interface that subnet is part of our NAT-0 rule for all VPN traffic. My access-list for NAT is specific though in only specifying from private subnets to that range.
So, feel free to tell me I've done something stupid. It's not a killer to not have internet access, imho they shouldn't be using it when VPN'd in anyway but I know there will be complaints from users well above my paygrade that may cause a few headaches I'd like to avoid (and no I will never split-tunnel).
We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Comments
same-security-traffic permit intra-interface
nat(outside) 1 10.10.11.0 255.255.255.0
global(outside) 1 <external ip>
Cheers.
Now I can turn off that VPN3K at work and add it to my Lab
Thanks again.