Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to enforce VPN client user internet traffic through VPN tunnel


This document describe how VPN client or anyconnect client can send both Intranet and Internet traffic via VPN tunnel.

home users(VPN Clients) ------ internet ------ ASA 5510----- CORP LAN

Components Used

  •   ASA with 7.X (For VPN Client) or above and 8.X (For Anyconnect) or Above
  •   VPN or Anyconnect Client

Network Diagram


In the above diagram-----

  •   E0 is the outside interface

  •   E1 is the inside interface

  •   Pool subnet is


We need to keep few things in mind to configure this----

  •     In group-policy add split tunnel to tunnel all

  •     Configure NAT( For client Pool) on the outside interface to PAT to the same global address

  •     Configure "same-security-traffic permit intra-interface" so traffic from the VPN tunnel destined for the Internet can make a u-turn.

Configuration of PIX/ASA

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address

interface Ethernet0

nameif outside

security-level 0

ip address

same-security-traffic permit intra-interface

object-group network trusted_inside


object-group network APAC_IS_VPN_Networks


access-list VPN_ACL_NONAT extended permit ip object-group trusted_inside object-group APAC_IS_VPN_Networks

global (outside) 2 netmask

nat (inside) 0 access-list VPN_ACL_NONAT

nat (inside) 2

nat (outside) 2

route outside

route inside


enable outside


svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.1025-k9.pkg 2

svc image disk0:/anyconnect-linux-2.5.1025-k9.pkg 3

svc profiles MSTRRemAccess2011 disk0:/MSTRRemAccess2011.xml

svc enable

tunnel-group-list enable

group-policy Test-AnyconnectPolicy internal

group-policy Test-AnyconnectPolicy attributes

split-tunnel-policy tunnelall

wins-server value X.X.X.X Y.Y.Y.Y

dns-server value X.X.X.X Y.Y.Y.Y

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

default-domain value

split-dns value


  svc dtls enable

  svc keep-installer installed

  svc keepalive 60

  svc dpd-interval client 120

  svc dpd-interval gateway 120

  svc modules value vpngina

  svc profiles value MSTRRemAccess2011

  svc ask enable

tunnel-group Test_AnyConnect type remote-access

tunnel-group Test_AnyConnect general-attributes

authentication-server-group LOCAL-ACS

default-group-policy Test-AnyconnectPolicy

tunnel-group Test_AnyConnect webvpn-attributes

group-alias Test_Group enable

Hope this was informative and I want to thank you for your time.

Related Information

Version history
Revision #:
1 of 1
Last update:
‎06-13-2011 01:52 AM
Updated by:
Labels (1)
Everyone's tags (3)