Sometimes it is required that remote access VPN users connect to the Internet through the organization’s Internet access. This could be because of some company policy that requires user access to the Internet to flow through the company’s firewall for protection or filtering. Therefore, in this article, we will discuss how this can be configured on a Cisco ASA.

The diagram below illustrates what we want to achieve:

When the remote user connects to the ASA via the VPN client, the user should be able to connect to the LAN and also browse the Internet using the Internet access of the ASA. The GNS3 setup is as shown below:

The way I have set up the ASA to connect to the Internet is as follows: I shared my Wi-Fi connection (which gives me Internet access) with my VirtualBox network adapter (any free “connected” adapter will do). This formed a network of 192.168.137.0/24 (which can be changed) and the VirtualBox network adapter on my PC has an IP address of 192.168.137.1. I then added a cloud in GNS3 using the VirtualBox network adapter and formed a network between the cloud and the ASA using a switch (you cannot connect the ASA and a cloud directly). Therefore, to give the ASA Internet access, I just have to configure a default route of 192.168.137.1 on the ASA.

Note: The reason I had to go through this “long” process is because, when using a Wi-Fi connection, your GNS3 devices cannot connect to the wireless router/AP. If I was using a LAN connection for the Internet, then I wouldn’t have had to go through this stress.

Now let’s configure the basic remote access VPN on the Cisco ASA that allows VPN clients to connect and assigns IP addresses to them from a local IP address pool. Keep in mind that, since we want Internet traffic from the VPN client to flow through the VPN tunnel, we will not configure a split tunnel ACL

hostname VPN-ASA
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 192.168.137.100 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.1.1.100 255.255.255.0
!
object network LAN-USERS
 subnet 10.1.1.0 255.255.255.0
 nat (inside,outside) dynamic interface
!
ip local pool VPNPOOL 10.2.2.1-10.2.2.10 mask 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 192.168.137.1
!
username vpnuser password vpnuser
!
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
crypto ikev1 outside
!
crypto ipsec ikev1 transform-set MYSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 1 set ikev1 transform-set MYSET
crypto dynamic-map DYNMAP 1 set reverse-route
crypto map CRYPMAP 1 ipsec-isakmp dynamic DYNMAP
crypto map CRYPMAP interface outside
!
group-policy VPNPOLICY internal
group-policy VPNPOLICY attributes
 dns-server value 8.8.8.8
 split-tunnel-policy tunnelall
!
tunnel-group EXAMPLE-VPN type remote-access
tunnel-group EXAMPLE-VPN general-attributes
 address-pool VPNPOOL
 default-group-policy VPNPOLICY
tunnel-group EXAMPLE-VPN ipsec-attributes
 ikev1 pre-shared-key cisco
!
class-map inspection_default
  match default-inspection-traffic
 policy-map type inspect dns preset_dns_map
  parameters
     message-length maximum 512
 policy-map global_policy
  class inspection_default
   inspect dns preset_dns_map
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect rsh
   inspect rtsp
   inspect esmtp
   inspect sqlnet
   inspect skinny
   inspect sunrpc
   inspect xdmcp
   inspect sip
   inspect netbios
   inspect tftp
   inspect ip-options
   inspect icmp
 service-policy global_policy global

I want to point out a couple of things in the configuration above. Notice that I configured a network object of “LAN-USERS,” which has a dynamic PAT configuration. This allows the LAN users to connect to the Internet.

Secondly, I configured a group policy called “VPNPOLICY,” where I specified the DNS server to be used by remote access VPN users and also specified that all traffic should be tunneled.

Finally, I added ICMP inspection to the default MPF policy configuration on the ASA. This allows ICMP traffic to be inspected by the ASA so that I don’t have to explicitly allow ICMP in an access list applied on the ASA. This is just for testing purposes.

Hint: The Cisco ASA in GNS3 does not come with the default policy configuration on Cisco ASAs. You can copy this default configuration from here. In case you don’t have access to the Internet and you want this default configuration, change the firewall to multiple context mode, reload, change it back to single context mode, reload, and then you will have the default policy configuration :D.

Now, let’s connect from the VPN client to the ASA. The VPN client I will be using is installed on a Windows XP VM that is also connected on the 192.168.137.0/24 network. Of course, in a real scenario, the user will be somewhere on the Internet.

Before I connect, I want to show you that the user has Internet connection.

In the Cisco VPN client, I have set up the VPN connection as follows:

After I connect to the VPN tunnel, I am assigned an IP address from the IP local pool that we configured on the ASA. You will also notice the DNS server (8.8.8.8) that we configured being assigned to that Cisco Systems VPN adapter:

If we check the route details on the VPN client, we see that all traffic is being sent through the VPN tunnel:

All this is basic remote access VPN configuration. Now let’s confirm our requirements. First, let’s see if we can ping an IP address on the LAN (10.1.1.1) from the VPN client.

The ping is unsuccessful. If you enabled logging on the ASA while pinging, you will see a message such as the one below:

What this message is basically telling us in this case is that the forward traffic (10.2.2.1 à 10.1.1.1) did not match any NAT rule but the reverse traffic (10.1.1.1 à 10.2.2.1) matched a NAT rule.

Hint: The reverse traffic matches the NAT rule we configured for LAN users to access the Internet.

To resolve this problem, we need to configure identity NAT between the LAN network and the VPN pool as follows:

object network LAN-USERS
 subnet 10.1.1.0 255.255.255.0
object network VPN-POOL
 subnet 10.2.2.0 255.255.255.240
!
nat (inside,outside) source static LAN-USERS LAN-USERS destination static VPN-POOL VPN-POOL

Note: If you try to create a network object using the range option with the same range as an IP local pool, you may get the following error: “Addresses overlap with existing localpool range.” This is a bug in ASA version prior to 8.4(3). If you cannot upgrade your ASA version, then use the subnet option like I did above, although you may end up adding more IP addresses than you have in your IP local pool. There are other workarounds, but I’m not bothered about that in this lab scenario.

Now if we ping again, the ping is successful:

This brings us to the second requirement of Internet access for VPN users. By default, the VPN client will not be able to access the Internet.

There are two things we need to get this working. First, we need to configure NAT for the VPN pool to be able to access the Internet just the way we did for the LAN users. Secondly, we need to enable U-turn traffic because the VPN tunnel is terminated on the outside interface, which is also the same interface that connects to the Internet. This means that traffic from the VPN tunnel will need to go back out the same interface on which it was received.

The configuration to achieve Internet access for the VPN users is as follows:

object network VPN-POOL
 nat (outside,outside) dynamic interface
!
same-security-traffic permit intra-interface

Notice that the NAT configuration specifies “outside” as the source interface. One would think that since it is a VPN tunnel, then the VPN users are actually placed on the “inside” interface but this is not the case.

If we test our Google ping again, it goes through:

I can also open a web browser and go to google.com and then confirm that the traffic is indeed going through the ASA. I do this by issuing the show conn command and filtering the output to see just Google’s IP address.

Summary

To summarize this article on allowing VPN users to connect to the internal network behind the Cisco ASA and also access the Internet via a VPN tunnel, you need to do the following:

  1. Configure Identity NAT for the internal network and VPN pool so that VPN users can communicate with the internal network.
  2. Configure NAT (probably dynamic NAT/PAT) for the VPN pool so that VPN users can connect to the Internet.
  3. Enable U-turn traffic (or hairpin) if the VPN tunnel is terminated on the same interface through which the ASA is connected to the Internet.

Reference