Cisco ASA Config - Question

J

Jay_2

2[H]4U
Joined
Mar 20, 2006
Messages
3,583
I have been asked to setup a VPN on a stick setup so that people on the move can use the encryption of our SSL VPN for web browsing etc using AnyConnect

This works fine, whatsmyip shows the external IP of the office when connected to the VPN and all traffic is pushed down the pipe. The only issue is when connected I have no access to local resources such as IP printers etc.

Has anyone ever done this on a 5505?

Thanks
 
That's how I had mine. You create a regular SSL VPN. So my internal network is 192.168.1.0 /24 and the VPN clients get 192.168.10.0 /24. I then can choose to route all traffic back, or just 192.168.1.0 and 10.0 traffic back. I can connect to local resources just fine. It's a lot easier if you have a proper DNS server in your internal network though. You can then use the computers names instead of just IPs. You can use WINS, but yeah, WINS isn't nearly as good as a DNS server. I can get you a sh run later if you want. I didn't do anything fancy.
 
From my understanding you can't have it both ways, either you route all your traffic over the VPN or you allow split tunneling for local resources which will not route all traffic over the VPN, only traffice for you subnet behind the corp firewall will be routed.
 
I think I have this sorted.

I added an access-list for Local_LAN with permit host 0.0.0.0

Then created a split-tunnel-policy in the Group Policy

Then setup the split tunnel access list (split-tunnel-network-list value Local_LAN)

That then adds any local LAN IPs to the Non-Secured Routes but leaves 0.0.0.0 0.0.0.0 in the secured routes. Giving local access to IPs while also giving encrypted access to the internet

What a pain!
 
Yes, that's true but the VPN will only allow tunneled internet, there is no access to internal resources via this VPN.
 
You must log in or register to reply here.
Back
Top