Allow connected VPN Clients to Access the Internet

[spie34]

I am trying to find a way to allow clients that are outside our office connect to our VPN and then when that client needs to go back out to the Internet they are routed out through our Internet rather than through where they are coming from.

So essentially all traffic lan/wan must go through the vpn and not allow split tunneling.

The reason the company I work for needs this is because some of our employees work offsite and where they are working the business has things locked down pretty tight. Like smtp, http/s is about all that is open.

Right now an employee has to connect into our office using our webvpn client and then connect to a computer at the office and then use that computer to connect to a computer out somewhere else that they need to do something on.

Is there a way to do this?

ASA 5510 7.2

Is there anything that I am missing as far as info needed?

 

[cndcadams]

spie34;

I am also looking for this answer. I set up our VPN today and also need to be able to access the internet once connected to the VPN. If you find anything please post and I will do the same. I believe a batch may need to be set up with and add route command.

Will keep you posted

CA

 

[smah]

More info required - I think most VPN setups do this by default; split tunnelling seems to be less common. What devices/systems/software establish & control the VPN?

 

[burtsbees]

Yes---any VPN should allow you to access the internet via the remote connection. Are they not able to for some reason? What kind of VPN and devices?

Burt

 

[cndcadams]

spie34;

I found this link and created a batch. Worked good for me.

http://www.microsoft.com/technet/community/columns/cableguy/cg1003.mspx#EVF

Thanks

CA

 

[burtsbees]

I should add---for example, when I connect to my home VPN from work, I RDC into one of my Windows boxes and can browse the internet, but it is kinda slow doing it that way.

Burt

 

[cndcadams]

spie34;

my bad,did not see you don't want to use split tunneling. There has got to be a way to lock down split tunneling security issues but that is another thing to be worked on.

Thanks CA

 

[dtrtel]

Cisco won't allow encrypted VPN traffic that comes in from an outside interface to go back out that same interface.
You're SOL with that setup for what you want to do, unless someone can set me straight on the ASA vs. PIX.


--jeff

http://linkedin.com/in/JeffLynch

 

[burtsbees]

If the users are using shared keys, the VPN traffic gets decrypted at the remote site, so when it leaves again, it has been decrypted, as far as I know. That's how my VPN works, without split-tunneling. Like smah says and I said, we need more info.

Burt

 

[spie34]

The ASA 5510 controls the VPN. The security policies are set in there. We do use a Radius server for authentication but that doesnt apply any of the routes or anything like that.

What type of information are you looking for? I can more than likely get it for you if I know what you need.

Sounds like though that Cisco doesn't allow this to happen yet I am sure I have read it somewhere before that you are able to do this. Could be wrong as I might be thinking of something along the lines of PoPToP or a sonic firewall.

 

[dtrtel]

Burt, just curious, do you connect to a Cisco VPN concentrator in the above reference? I ask because I can attest to the restriction I mentioned above with PIX setups, the traffic isn't de-encrypted unless it's queued to exit the inside interface. Cisco is pretty anal about this, at least on the PIX, but they may do that so people have to spend more money on a bigger box. That's why I asked for correction if this is not a problem on the ASA 5510.

That said, I have done as you say with other VPN concentrators, Netopia 9100 for sure, and IIRC Win2k R&RA, without problems. Just looking for clarification.

Best regards,

--jeff

http://linkedin.com/in/JeffLynch

 

[spie34]

As far as I know the VPN is setup on the outside interface of the ASA 5510. We have our secure routes defined for access internally. And there is split tunneling setup.

Wish I could find the article on Cisco that showed somewhat what I was wanting to do. VPN on a stick configuration. I did that but it did not work for me.

 

[dtrtel]

Ok, I stand corrected . The hairpin problem was fixed in Cisco security appliance version 7 (PIX/ASA). So disregard any statements as to "traffic not being able to leave the same interface it came in on". OP states ASA 5510 ver 7.2, so it is supported. Now to find the configuration problem.



--jeff

http://linkedin.com/in/JeffLynch

 

[dtrtel]

Wow! There are still lots of people like me still telling others (recently) the PIX/ASA won't hairpin.

This might do it for ya:

same-security-traffic permit intra-interface
global (outside) 1 interface
global (inside) 1 interface
nat (inside) 1 192.168.x.0 255.255.x.x

Code is from the article below references this in context with static NAT, but it seems you would just need to make sure your NAT rule includes IPs assigned for remote VPN clients as well. Since they're not site-to-site, it probably does.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Nighty nite,


--jeff

http://linkedin.com/in/JeffLynch

 

[Spirit]

I know this splits the tunnel but just in case some of you can:

When using WinXP - open vpn - properties - networking - ip - advanced - general - untick use default gateway on remote.

Iain

 

[Ru55ell]

spie34, did yo fix this issue? Was it a routing problem?

route outside 0.0.0.0 0.0.0.0 <isp gw>