Question

Locked

Internet access through VPN on ASA 5510?

By badp81 ·
I'm trying to do something that seems simple, but I'm finding it a little more tricky than I thought it would be. My company has an ASA 5510 configured for use with the cisco VPN client. Logging into the VPN and accessing network resources works great.

But I want it so that when a user is connected via the VPN, both VPN AND Internet traffic is routed through the VPN. I do not want Internet traffic to go out the user's home Internet connection; it has to go out the VPN network and then out the Internet connection at the office.

I've played around with the split tunneling and tried it both ways. If split tunneling is disabled, the user is locked out of Internet access completely. If it's enabled, Internet through the user's home connection is wide open. What simple thing am I missing?

Thanks in advance!

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Default gateway is on remote network

by robo_dev In reply to Internet access through V ...

Typically in the VPN client there is a setting to allow default gateway to be on the VPN's network, otherwise the Internet is too many hops away. The PC thinks the default gateway is the VPN interface, but that's not quite correct from an 'internet access' perspective.

Collapse -

VPN Client Doesn't Offer This

by badp81 In reply to Default gateway is on rem ...

Unfortunately Cisco's VPN client doesn't offer such a feature. Even with split tunneling disabled, Internet traffic is not even leaving the tunnel.

Collapse -

Not routing VPN subnetwork

by SYNner In reply to Internet access through V ...

A couple things to try:

1. Make sure you are routing the VPN subnetwork through your network to your egress point.

2. Make sure you the VPN subnetwork is NATted (if you require NATting) at the outside.

3. Make sure your ACLs allows the VPN subnetwork through the egress.


Put a sniffer at your egress point to see if traffic is making it that far.

Collapse -

Traffic not ever entering tunnel

by badp81 In reply to Not routing VPN subnetwor ...

No traffic is making it past the Cisco VPN's virtual adapter. What the client appears to be doing is setting itself as the default gateway, then dropping any traffic not destined for a connected interface (local network or VPN).

I have tried NATting the VPN network to the outside. No dice there. Opened up ACLs, still nothing. As far as routing the VPN subnet through the network to my egress point, can you elaborate more on that? The ASA installs a static route whenever a VPN client is connected. The route looks something like this: 10.100.0.1 255.255.255.255 via [ISP's gateway IP], outside.

Collapse -

Problem Solved!

by badp81 In reply to Internet access through V ...

Here is what I ended up adding to my config to get it working:

access-list outside_nat extended permit ip [vpn client network] 255.255.255.0 any
global (outside) 1 interface
nat (outside) 1 access-list outside_nat
group-policy DfltGrpPolicy attributes
dns-server value [dns server]
nem enable
group-policy VPN attributes
split-tunnel-policy tunnelall
split-tunnel-network-list none

Back to Networks Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums