Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AnyConnect external website access

Guys, I'm trying to allow AnyConnect VPN clients to access external internet sites through the ASA (no split tunneling). In other words, I want users connected over VPN to be able to access the internal network, as well as be able to access external websites by having that traffic tunneled first to the ASA and then out to the internet. I've tried following the suggestions mentioned in this thread, but not no luck. Specifically, I've tried adding this nat statement:

nat (outside) 1 192.168.30.0 255.255.255.0

as well as this one:

nat (outside) 1 192.168.30.0 255.255.255.0 outside

Originially I had no "nat (outside)" statement. Not able to access outside sites in any of these three cases. I have no trouble accessing the inside network when connected. I've issued the sysopt connection permit-vpn command to ignore interface access-lists for vpn users. Config is attached (scrubbed). Any help would be greatly appreciated.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: AnyConnect external website access

Change this line: nat (outside) 1 192.168.30.0 255.255.255.0 outside

To: nat (outside) 1 192.168.30.0 255.255.255.0

global (outside) 1 interface   will associate the NAT to the outside interface.

Also be sure you have traffic allowed between hosts connected on the same interface with this command:

same-security-traffic permit intra-interface

3 REPLIES
New Member

Re: AnyConnect external website access

Change this line: nat (outside) 1 192.168.30.0 255.255.255.0 outside

To: nat (outside) 1 192.168.30.0 255.255.255.0

global (outside) 1 interface   will associate the NAT to the outside interface.

Also be sure you have traffic allowed between hosts connected on the same interface with this command:

same-security-traffic permit intra-interface

New Member

Re: AnyConnect external website access

Dude, you rock. The same-security-traffic permit intra-interface command appears to have been the hang-up! I'll buy you a drink next time you're in Virginia, ha!

New Member

Re: AnyConnect external website access

Your Welcome!

Thanks for rating!

955
Views
0
Helpful
3
Replies