AnyConnect VPN full tunnel with internet access

Unanswered Question
Dec 29th, 2010

Currently I am using an AnyConnect VPN (split tunnel) for remote access.

This works great.

However I would like to change this VPN to full tunnel mode.

I already tried configuring it without any problem, it's also working, except one thing, to have internet access while having a full tunnel AnyConnect session.

I was expecting the internet traffic to be routed over the tunnel, and go out on the remote side to the internet, but this requires additional configuration.

Does anybody know how to configure an internet breakout using AnyConnect full tunnel mode?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jan de Wit Wed, 12/29/2010 - 07:53

Hi Atri,

Actually, yes I mean U turning the traffic, however the commands in the mentioned documentation are not available using IOS SSLVPN.



Atri Basu Wed, 12/29/2010 - 08:04

On a router if you have natting enabled for the traffic and a default route as well then you shouldn't have any problems in u-turning the traffic. U-turning is only required on ASAs which have security policies in place that would otherwise drop the traffic. Can you paste the configuration on your gateway?

Jan de Wit Wed, 12/29/2010 - 11:27

Hi Atri,

Actually I placed the VPN users within the same subnet as the normal users, which means when normal users can access internet, things like default gateway as well as NAT are configured the right way.

I'm going to check on the other reactions.

Rahul Govindan Wed, 12/29/2010 - 07:26

I assume that you are using the ASA as vpn server.

You would require to nat the traffic sourcing from the vpn pool subnet to the outside interface ip address( pat). Also the command same-security permit intra-interface is required.


nat(outside) 1

global(outside) 1 interface ( u should already be having this for internet traffic for lan)

same-security permit intra-interface

Jan de Wit Wed, 12/29/2010 - 07:55

Hi Rahul,

No, I am using a Cisco router, to be more specific, a Cisco 877W, using IOS SSLVPN.


Jan de Wit Thu, 12/30/2010 - 00:05

Hi Marcin,

Thanks for your reply, I did some decent searching on anyconnect, and some related keywords, but didn't find your post.

Can you please indicate in which IOS version this feature was introduced?

I am using advipservicesk9-mz.124-24.T3.bin myself.



Marcin Latosiewicz Thu, 12/30/2010 - 00:23


Indeed my post was meant to highlist benefits for IPSec and not specific to webvpn ;-)

I believe the functionality has been introduced with 12.4.20T and onwards where new CEF code was introduced, but I can't find the exact release.

Tha being said 12.4(24)T is the last software train in 12.4T and it should contain all features in config guide.


Jan de Wit Mon, 01/03/2011 - 06:55

Hi Marcin,

I changed the config with the information you provided, but it isn't working for me so far.

Hopefully you can help me a bit.

I have a 877W with an ATM interface as WAN interface (ASDL), which is configured  under ATM0.1

As stated in the docs I created the following interface:

interface Virtual-Template1
ip unnumbered ATM0.1
ip nat inside
ip virtual-reassembly

Secondly, I added this virtual template under the webvpn context:

virtual-template 1

According to the docs this should do the trick, however, the Virtual-Templace interface stays down, and the feature isn't working.

Virtual-Template1  YES TFTP   down                  down   

The webvpn is working flawlessy, using a split tunnel.

Hope you can indicate what's missing.

Best regards,


Marcin Latosiewicz Mon, 01/03/2011 - 09:15


I only tested this feature intially when introduced ... so my recollections are vague at best ;-)

How this is supposed to work (AFAIR) is to spawn virtual-access interfaces from virtual template, I'm not sure if it's technially necessary for virtual-template interface to be up/up.

That being said ... let's see "show webvpn context NAME_HERE" to verify if template is applied there.

I'm actually starting to think if I didn't sell you false hope ... I did a quick search in feature navigator and offically I see support in platforms starting from 18xx and in 15.1T (and on). Oddly enough the config guide from 12.4T contains VTI support without restrictions.


Jan de Wit Mon, 01/03/2011 - 09:47

Hi Marcin,

Actually the Virtual-Template is stated when issueing the show webvpn context [name] command.

router#sh webvpn context router
Admin Status: up
Operation Status: up
Error and Event Logging: Disabled
CSD Status: Disabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List: default
AAA Authorizationtion List not configured
AAA Authentication Domain not configured
Default Group Policy: sslpolicy
Associated WebVPN Gateway: router

Domain Name and Virtual Host not configured
Maximum Users Allowed: 2
NAT Address not configured
VRF Name not configured
Virtual Template: 1


Regards, Jan

Marcin Latosiewicz Tue, 01/04/2011 - 00:46


Odd, but if no virtual-access is spawned, well I guess you could open a TAC case to make sure this is supported on this particular platform version.

In the meantime, we could try the the old way, loopback interface with "ip nat inside" applied and send all traffic from VPN to it.


mulatif Sat, 01/08/2011 - 19:43

Hi Jan,

Did you add the Virtual Template \ Or Made changes to the virtual-template 'after' defining it under the webvpn context ?

If you did then please remove the "virtual-template"command from under the webvpn config and then re-add it again.

Also the Virtual-Template will always stay down, it will be a virtual-access interface that you should be seeing Up in "show ip interface brief" command.



Jan de Wit Mon, 01/10/2011 - 01:21

Hi Naman,

Thanks for your input, I tried readding the virtual-template under the webvpn context, however, no difference.

Basically both the virtual-template as well as the virtual-access stay down while a user is connected.

Best regards,


mulatif Mon, 01/10/2011 - 06:42

Hi Jan,

If you feel comfortable then you can post your config here (?) and I can take a look Or You can open a TAC case and continue from there.




This Discussion

Related Content