Cisco AnyConnect Clients force all traffic through VPN

Unanswered Question
Feb 26th, 2014
User Badges:

Hello, I am trying to figure out how to force all traffic from remote vpn users to go through the vpn tunnel for internet access and have run into a road block. Right now, I have split tunneling working for one profile and the other profile is to force all traffic through the VPN. I have the same-security features enabled and I think I am stuck on the NAT side of it. What source of NAT settings do I need to allow this hairpining? My ACL is to allow any source to any outbound FYI.

- Gabe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jjohnston1127 Wed, 02/26/2014 - 21:34
User Badges:
  • Silver, 250 points or more

What version of code?


Using an example of 10.2.3.0 as your VPN subnet.


8.2 and below


nat (outside) 1 10.2.3.0 255.255.255.0

global (outside) 1 interface  (or PAT IP)


8.3+


object network VPN-Pool

subnet 10.2.3.0 255.255.255.0

nat (outside,outside) dynamic interface

mattesong Thu, 02/27/2014 - 10:15
User Badges:

Hi Johnston, thanks for the help! It is for version 9.x and I have configured the NAT. I am going to give that a shot and try it. Thanks,

mattesong Thu, 02/27/2014 - 10:18
User Badges:

I just made the change and no luck. Any thoughts as to where I might look to test? I ran the packet tracer and set it it up with the following:


interface - outside

source ip - vpn pool ip address

dest ip - google.com

reverse path failure is the result...

jjohnston1127 Thu, 02/27/2014 - 10:32
User Badges:
  • Silver, 250 points or more

Please post the output of the command:

Show run nat

ledzepp817 Thu, 02/27/2014 - 12:42
User Badges:

Could it be DNS? 

What troubleshooting have you done? 

mattesong Thu, 02/27/2014 - 12:48
User Badges:

I am able to resolve DNS entries from the internal DNS servers. Thanks-

mattesong Thu, 02/27/2014 - 12:46
User Badges:

Here is the output.


object network SHR_VPN_CLIENTS

nat (outside,outside) dynamic interface

ledzepp817 Thu, 02/27/2014 - 12:51
User Badges:

Have you changed the source interface to inside and tested?

mattesong Thu, 02/27/2014 - 12:56
User Badges:

I just tried that and cleared the xlates no luck.  I'll see if i can paste the packet trace output.

mattesong Thu, 02/27/2014 - 13:01
User Badges:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed


Shouldn't these commands fix this?


same-security-traffic permit inter-interface

same-security-traffic permit intra-interface


I don't want to disable RPF on the outside interface if I don't have too.

- Gabe

Actions

This Discussion