I'm looking to setup AnyConnect VPN with no split tunneling. ASA 5505 v8.2. It seems this should be really easy. I must be missing something.
I can get the AnyConnect users to connect fine and they can access sites internal and at other IPSec-tunneled sites. But no access to the internet.
Internal is 10.1.1.x, VPN pool is 10.1.1.251-253 (Temp list for testing). I issued the following tracer:
packet-tracer input outside tcp 10.1.1.253 12345 188.8.131.52 80 detailed
The last reported point (where it fails) is:
Forward Flow based lookup yields rule:
in id=0xda7e9808, priority=70, domain=svc-ib-tunnel-flow, deny=false
hits=364, user_data=0xcb000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=TempVPNPool3, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
What does it mean by WEBVPN-SVC?
Some relevant config:
No ACL, filters or group policy limitations on AC clients.
same-security permit intra-interface
On advice I added: nat (outside) 1 10.1.1.0 255.255.255.0, then I can get outside hosts, but then no IPSec tunneled hosts.
Whats odd is that with this change, the packet tracer doesn't change. Still shows deny, yet the site is reachable.
When you say IPsec tunneled sites.. is that Site-to-Site IPsec tunnels on the ASA?
nat (outside) 1 10.1.1.0 255.255.255.0
is needed to allow the pool of AnyConnect clients to get PATed to the Internet.
If you need the AnyConnect clients to access the Internet and access remote IPsec tunnels as well, you can do it with Policy NAT:
access-list anyconnect deny ip 10.1.1.0 255.255.255.0 x.x.x.x
access-list anyconnect deny ip 10.1.1.0 255.255.255.0 y.y.y.y
access-list anyconnect permit ip 10.1.1.0 255.255.255.0 any
nat (outside) 1 access-list anyconnect
global (outside) 1 interface
With the above configuration, you are bypassing NAT for the AnyConnect clients when they want to access the remote sites through the IPsec tunnels (assuming x.x.x.x and y.y.y.y to be the remote networks through those tunnels).
And everything else from the AnyConnect pool (10.1.1.0/24) will be PATed to the Internet.