msgbartop
msgbarbottom

21 Nov 12 Internet traffic and Cisco AnyConnect

Routing Internet traffic when using Cisco AnyConnect – Cisco ASA 5520 Code 8.4

Previously I worked on Cisco AnyConnect VPN Configuration on Cisco ASA 5520 running 8.4 code. Now since everything is working good I was able to access all the internal resources however I was unable to access the Internet. Now I need to be able to give users access to the Internet. There are two ways of doing this:

  • Split tunneling
  • Tunnel All Traffic

If I do split tunneling users will be able to access the Internet when they are using Cisco AnyConnect VPN, however they will be using their local Internet and it is not considered very secure. So I decided to send their Internet Traffic via Cisco AnyConnect VPN as well so when they go out to the Internet they will be going out via the corporate connection. Here are quick examples of both:

Split Tunneling

If you want to do split tunneling then look at the screen shot below. Under Group Policy you will go to: “Advanced –> Split Tunneling”, then change the Policy to “Tunnel Network List Below”, under Network List change that to access list associated. Access List will look something like this:

“access-list ACL-NAME extended permit ip object-group INSIDE-NETWORK object-group REMOTE-VPN-NETWORK”.

Split Tunnel Cisco ASA 5520

Here is how the command line will look:
group-policy SPLIT-TUNNEL internal
group-policy SPLIT-TUNNEL attributes
banner value You are accessing a secure system, all activity will be logged.
wins-server value 192.168.0.2 192.168.0.13
dns-server value 192.168.0.2 192.168.0.12
vpn-simultaneous-logins 10
vpn-idle-timeout 240
vpn-session-timeout 1440
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL-ACL
default-domain value XXXX.COM
split-tunnel-all-dns enable

Tunnel All

Now with this method all traffic including the Internet traffic will traverse through the Cisco AnyConnect VPN and will utilize the corporate Internet Connection to go online. Group Policy will look look this:
Tunnel All Cisco ASA 5520

Here is how the command line will look like:
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 192.168.0.2 192.168.0.12
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
default-domain value xxx.com

Now there is a small step that I performed so that outgoing traffic from all the remote users will use a different Public IP address than what is defined on the outside interface. Also the key term here is that in order to Tunnel All Traffic all VPN traffic needs to be able to make a “U” turn i.e go out the same interface it came from. There are a couple of commands that were needed for that part such as:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Now for the NATing a different public IP here is what I did:

object network AnyConnect
subnet 172.16.0.128 255.255.255.128
nat (outside,outside) dynamic x.x.x.x

I took the AnyConnect network and made it go back out the outside interface with a different public IP

Tags: , , , , , , , ,

WordPress SEO