Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to change AnyConnect remote VPN to full tunnel from split tunnel?

I couldn't find an answer looking through the ASA config in Cisco documentation and using Google.  To enable full tunnel for the AnyConnect client group policy, do I just need to change the Split-Tunneling policy to Tunnel All Networks and set the Network List to None if I want anyone who connects with the AnyConnect Secure Mobility client to use the corp internet pipe?  

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

That plus you will also need

That plus you will also need a NAT rule to NAT the VPN pool addresses to the ASA outside interface (or whatever address / pool you normally use for dynamic NAT).

There are some good examples with illustrations in this document.

Hall of Fame Super Silver

I don't know that one method

I don't know that one method vs. the other would be easier. End users tend to like accessing things the same way if that's at all practical.

You might try using a non-aliased profile for your own testing to verify it works as desired and then put those bits into the production profile when you're satisfied. (A profile without an alias won't show up in the drop down list but can be setup to be accessed via a direct URL.) 

6 REPLIES
Hall of Fame Super Silver

That plus you will also need

That plus you will also need a NAT rule to NAT the VPN pool addresses to the ASA outside interface (or whatever address / pool you normally use for dynamic NAT).

There are some good examples with illustrations in this document.

New Member

Marvin,Thanks for the reply.

Marvin,

Thanks for the reply.  Ok, so setup the NAT for the VPN pool and then make the changes to the Group Policy in ASDM to tunnelall and set the network list to None.  I've already added the same-security-traffic permit intra-interface.  That should be it to turn our current policy from split-tunnel to tunnelall? 

Hall of Fame Super Silver

You're welcome.Yes, those

You're welcome.

Yes, those would be the general steps one would take. I can't say for sure if there are any other considerations without knowing your complete configuration but that should set you on the right path.

New Member

One of the caveats is our

One of the caveats is our AnyConnect clients are set to get IP's issued by our internal DHCP server, not from a pool setup on the ASA.  Outside of that, we use AAA with LDAP.  

Instead of switching our current one, would it be easier to create a new group that needs the tunnelall?  

Hall of Fame Super Silver

I don't know that one method

I don't know that one method vs. the other would be easier. End users tend to like accessing things the same way if that's at all practical.

You might try using a non-aliased profile for your own testing to verify it works as desired and then put those bits into the production profile when you're satisfied. (A profile without an alias won't show up in the drop down list but can be setup to be accessed via a direct URL.) 

New Member

Thanks Marvin.  Really

Thanks Marvin.  Really appreciate the input.  I'll look into both.  

733
Views
5
Helpful
6
Replies