Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Impossible to redirect traffic from Outside to Intranet


I use Annyconnect to permit connection of remote clients

to Inside network.

Pool for remote clients

internal network

Anyconnect works fine to access the internal network but now the customer would like that the remote clients

with an IP address in 192.168.10.x could access directly equipements

on the distant site (Subnet  through the Intranet interface (no VPN on Intranet interface, connected to MPLS)

Intranet interface has an IP address in

Here is the path for the traffic:

Annyconnect clients --> Outside  'FW'   Intranet -->  Distant network

# Security-levels on the ASA 5510 cluster at rel 8.4.7

Inside 100

Outside 0

Intranet 50

Since we don't have the same security level for Intranet and Outside

i have first proposed to create an access-list which permit ip from to

applied Outbound on the Intranet interface  but it doesn't work

Then i have tried to apply the same access-list Inbound on the outside interface but same issue.

I would like if there is something special to do.

We don't apply NAT on Intranet interface, the remote ASA firewall has been configured to see as Source IP

the anyconnect IP address


Best regards.









Hello,First of all traffic


First of all traffic from the clients going to the Distant network will not need any sort of FW Access-List due to the sysopt connection permit-vpn.


What you will need to do is:

-If using any sort of split-tunneling make sure you allow the traffic to the distant network.

-Make sure the devices behind the MPLS network know that in order for reach that VPN Anyconnect Pool of addresses they need to send the traffic to the ASA.

-Make sure the NoNat Rule on the ASA includes traffic from the distant Interface to the VPN Anyconnect Pool.

-If any ACL on the Intranet interface, allow the traffic that will be generated from the distant network.


Does it make sense?



Remember to rate all of the helpful posts!!!!

Looking for some Networking Assistance? Contact me directly at I will fix your problem ASAP. Cheers, Julio Carvajal Segura
CreatePlease login to create content