AnyConnect SSL VPN and Split Tunnel

Unanswered Question
Mar 29th, 2010

All,

I have successfully setup the AnyConnect VPN (connecting to our ASA5510) and have split tunneling configured.  My remote users can access inside LAN servers as well as the Internet from their remote location.  What I would like to know is is it possible to change the split tunnel and not allow access to the Internet from the remote location but force the remote client to go through the VPN and out our internal edge firewall to the Internet?  Basically I need my remote clients to access the Internet but I would like for their Internet traffic to go through the VPN and out our edge firewall.  This will allow the same security as if they were sitting in the office.

Thanks,

Ken

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Mon, 03/29/2010 - 14:36

Definitely can.

1) Disable split tunnel

2) However you need to make sure of the routing. How is your ASA that terminates the VPN connected to your Internet edge FW gateway? Your Internet edge FW needs to route the VPN pool subnet back to the ASA. On ASA, you can also configure tunnel default gateway (route inside 0 0 tunneled) to an internal router/switch if the ASA and FW edge is connected in parallel.

Hope that helps.

I'm attempting the same... But all with 1 ASA.

I can connect with the anyconnect client just fine get pings back from internal hosts. But I don't get traffic from either public internet or other fixed ipsec tunnels to other sites. Those sites work fine if I'm on site or connected via an old VPN-3005.

I've read some about "hairpining" but unclear that will solve my problem.

Federico Coto F... Sun, 05/16/2010 - 15:07

Hairpinning is the ability to reroute traffic backout the same interface in which it received that traffic.

Previously, this was not something the Firewalls can do.

Now, the ASA can do hairpinning, which is used to provide Internet access to the VPN clients in most cases.

Normally a VPN client scenario, you will just send the desired traffic through the tunnel (split-tunneling).

You can also send all traffic through the tunnel and provide Internet access through the same ASA.

To accomplish this, the ASA should u-turn the traffic backout to the Internet.

You need something like this:

nat (outside) 1 10.x.x.x 255.255.255.0   --> assuming 10.x.x.x is the pool of addresses assigned for VPN clients

global (outside) 1 interface --> you might already have this for regular Internet traffic (PAT)

same-security permit intra-interface  --> to allow u-turn

Besides that, split-tunneling should be disabled on the ASA.

The routing should be configured accordingly as mentioned earlier.

Federico.

dominik78 Mon, 08/15/2011 - 18:40

This document helped me:

ASA 8.x: AnyConnect VPN Client for Public Internet VPN on a Stick Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml

Like Federico says you need a 'nat (outside)..' statement. That was the mistake I made. In my case the VPN IP pool was tied to a physical interface, I had a nat statement for that physical interface and the VPN pool IP range, but neglected the 'nat (outside) [vpn ip pool range]..'

Actions

This Discussion