I need to have my remote clients access the Internet through the VPN using the AnyConnect client, meaning I need all traffic to go through the VPN and out our internal router to the Internet. I know I can use the split-tunnel option but our corporate policy states all traffic needs to go through the VPN, web traffic included. Currently my users have access to all internal resources but web traffic is not working. How do I configure the ASA to allow web traffic through and routed out our main edge router?
How is the main edge router connected? To the outside of the ASA or to the inside of the ASA?
1) If it's connected to the outside of the ASA, then you would need to configure the following:
same-security-traffic permit intra-interface
nat (outside) 1
Assuming that you already have a corresponding global statement with sequence of 1 for the outside interface.
2) If it's connected to the inside of the ASA, then you need the following instead:
route inside 0.0.0.0 0.0.0.0 tunnelled
Assuming that your main edge route is doing the PAT for web browsing to the internet, then you would need to include the VPN Pool subnet in the NAT statement on the router, plus route for the ip pool subnet back towards the ASA inside interface.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...