I know this is an old post, but I am curious to know if the route with tunneled keyword is the right fix to send all internet traffic out from inside interface of VPN to an attached layer 3 device that knows internet routes. I tried it today but didn't work. VPN users can reach all internal, dmz resources but not Internet. The trace dies at vpn and packet-tracer drops at WEBVPN-SVC.

-Josh

Hi Joshuskarki,

Following doc explains the use of tunnel-default route:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html

All it does it forward the packets received from tunnel to gateway mentioned in tunnel-default route. If the traffic fails , then troubleshoot it like any other traffic on upstream devices.

Key thing would to make sure upstream device(before ISP) knows routing info of VPN pool, so return traffic can be forwarded back onto ASA.

Do capture on ASA internal interface to check if its forwarding the request packets and receiving reply or not.

BR

Santhosh

Thanks for your quick reply, Santosh!

If I know any public addresses eg, 4.2.2.2 or 8.8.8.8 and configure static routes pointing them to next-hop towards inside interface, it works just fine. VPN users can ping these addresses. That confirms the NAT, return routes from internet router to VPN address pool is all good. It is just the route with tunneled as the link explained doesn't seem to be working in my environment. I am sure I am missing something obvious somewhere in the config. 

My setup has few other groups with split-tunneling on and that have been working fine. 

The one (new group) I am currently testing is tunnel-all traffic with VPN always-on. Always-on seems to be working and I can reach to internal resources also but the traffic isn't going out internet :(

-Josh