It has been a while since I have entered anything on my blog. But a few days ago I came across a very interesting situation that is not common but it is counter-intuitive. It has to do with the way the Cisco ASA treats NAT in a very particular situation.
An ASA was configured to have split tunneling disabled for clients using the Any Connect Cisco client. The ASA we are using has several IPSEC tunnels to remote sites. As soon as the clients connected they did not have access to either the Internet or the remote sites. They can access the Internal LAN though.
The reason of course as you may have guessed it has to do with how to configure NAT.
So here we go.
As figure 1 shows, the network layout is straight forward. Internal clients on 192.168.1.0/24 can access the Internet through the ASA as the ASA is the default gateway for the LAN. We would like Any Connect clients to VPN onto the ASA and not use split tunneling and thus traverse the tunnel to access the Internet.
A VPN tunnel for remote clients can have two ways of accessing resources.
- Use Split Tunneling: In this mode, the VPN client will access internal resources but will browse the Internet using the Internet connection of the VPN client.
- Disable Split Tunneling: In this mode VPN clients not only access internal resources but also access the Internet using the LAN gateway, in this case, they will use the ASA as their default gateway.
I will not go into the merits of one approach over the other one, but in this case, we are forced to disable split tunneling. Why? We may have users that need to access 3rd party applications but the 3rd party vendors will only allow certain networks to connect, this for security reasons.
- I assume you have an ASA configured and are familiar with the ASA.
- I will not show how to configure the ASA for the Any Connect clients.
- I will not show how to configure split tunneling using LDAP groups.
- I will also assume you are using an ASA with an OS version 8.4 or higher.
After configuring Any Connect on the ASA and doing the necessary NAT statements you want to disable split tunneling.
With split-tunnel enabled, VPN clients can connect to internal resources, connect to remote IPSEC sites and also browse the Internet.
As soon as you disable split tunneling the VPN clients can connect, access the LAN but cannot access IPSEC remote sites nor can they browse the Internet.
So what is going on?
Well if you think about NAT for a second it may come to you. Remember that the ASA underneath is basically a router on steroids that runs processes that allows you to firewall devices using ACLs (access control lists) among other things but a router nonetheless.
In this case, you need to ask yourself what interface are the VPN clients using when connecting to the ASA?
They will use the outside interface. They can access internal resources because you added a NAT statement exempting internal clients on the network that the VPN clients resided. That is the standard NAT statement you will need if you have split-tunnel enabled.
The problem here is that when trying to access remote sites or the Internet they will enter via the outside interface turn around and exit via the outside interface.
So if you look at your NAT statements you probably have something like this:
nat (inside,outside) source dynamic internal-net interface
The command above allows internal networks to access the Internet and appear to come from the external interface of the AS and thus routable.
You need to add the following 2 statements to the statement above:
nat (outside,outside) source static net-vpn-client net-vpn-client destination static Remote-Sites Remote-Sites route-lookup nat (inside,outside) source dynamic internal-net interface nat (outside,outside) source dynamic net-vpn-client interface
Where net-vpn-client is a network object that contains the network used by the Any Connect clients and Remote-Sites is a network object that contains the networks used by your remote sites via IPSEC tunnels.
The first command tells the ASA to exempt traffic from the VPN clients to those on the remote sites.
The last command tells the ASA to NAT/PAT the VPN clients when accessing the Internet using the IP of the outside interface.
The key here is that the NAT is being done from outside to outside, that is not normally the way you would think about applying NAT but the ASA is a router first and most and needs to know what interface to apply the rules first before it can pass traffic.
So there you have it. Fairly simple is it not?