Allow VPN Clients Internet Access without Split Tunneling

Allow VPN Clients Internet Access without Split Tunneling

This quck question and answer comes from a recent forum thread at networking-forum.com.  I especially like how texanmutt tried sending traffic to the proxy server.  This very clearly illustrates the idea of same-security-traffic permit intra-interface.

Question: I have setup remote access VPN on an ASA 5505. The remote access works good, but when I try to browse web pages with the remote client, it times out. But if I map the remote client web browser to the proxy server behind the ASA, it works just fine. I am guessing this might be some kind NAT issue.

Read on for the answer.

Answer: It’s a NAT issue and an ASA behavior issue. The success with the proxy makes sense, too.

By default, the ASA does not allow traffic to enter and exit the same interface of the security appliance. Since the clients are on the outside and the Internet is on the outside, client traffic is not allowed to flow that way by default. When you send the client traffic to the proxy first, the source of the traffic is changed to the proxy and now the flow is allowed from inside to outside.

You can change this behavior with the same-security-traffic command:

same-security-traffic permit intra-interface

Once you’ve allowed traffic to flow in and out of the same interface, you still need to NAT the traffic of your VPN clients just like you do your internal clients. Don’t forget that they are coming from the outside:

global (outside) 1 interface
nat (outside) 1 192.168.10.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0