Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco AnyConnect Clients force all traffic through VPN

Hello, I am trying to figure out how to force all traffic from remote vpn users to go through the vpn tunnel for internet access and have run into a road block. Right now, I have split tunneling working for one profile and the other profile is to force all traffic through the VPN. I have the same-security features enabled and I think I am stuck on the NAT side of it. What source of NAT settings do I need to allow this hairpining? My ACL is to allow any source to any outbound FYI.

- Gabe

Everyone's tags (4)
10 REPLIES

Cisco AnyConnect Clients force all traffic through VPN

What version of code?

Using an example of 10.2.3.0 as your VPN subnet.

8.2 and below

nat (outside) 1 10.2.3.0 255.255.255.0

global (outside) 1 interface  (or PAT IP)

8.3+

object network VPN-Pool

subnet 10.2.3.0 255.255.255.0

nat (outside,outside) dynamic interface

New Member

Re: Cisco AnyConnect Clients force all traffic through VPN

Hi Johnston, thanks for the help! It is for version 9.x and I have configured the NAT. I am going to give that a shot and try it. Thanks,

New Member

Re: Cisco AnyConnect Clients force all traffic through VPN

I just made the change and no luck. Any thoughts as to where I might look to test? I ran the packet tracer and set it it up with the following:

interface - outside

source ip - vpn pool ip address

dest ip - google.com

reverse path failure is the result...

Re: Cisco AnyConnect Clients force all traffic through VPN

Please post the output of the command:

Show run nat

New Member

Cisco AnyConnect Clients force all traffic through VPN

Could it be DNS? 

What troubleshooting have you done? 

New Member

Cisco AnyConnect Clients force all traffic through VPN

I am able to resolve DNS entries from the internal DNS servers. Thanks-

New Member

Cisco AnyConnect Clients force all traffic through VPN

Here is the output.

object network SHR_VPN_CLIENTS

nat (outside,outside) dynamic interface

New Member

Cisco AnyConnect Clients force all traffic through VPN

Have you changed the source interface to inside and tested?

New Member

Cisco AnyConnect Clients force all traffic through VPN

I just tried that and cleared the xlates no luck.  I'll see if i can paste the packet trace output.

New Member

Re: Cisco AnyConnect Clients force all traffic through VPN

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed

Shouldn't these commands fix this?

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

I don't want to disable RPF on the outside interface if I don't have too.

- Gabe

5911
Views
0
Helpful
10
Replies