https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3375244#M960559 <P>No that is part of the configuration for hairpinning the VPN traffic out to the internet. in addition to this you need the command <STRONG>same-security-traffic permit intra-interface</STRONG></P> <P>&nbsp;</P> <P>For changing the configuration to tunnel-all you would need to change the group-policy configuration</P> <P><STRONG>group-policy AnyConnect_GrpPolicy internal</STRONG></P> <P><STRONG>group-policy AnyConnect_GrpPolicy attributes</STRONG></P> <P><STRONG>&nbsp; split-tunnel-policy tunnelall</STRONG></P> <P>&nbsp;</P> <P><STRONG>tunnel-group AnyConnect type remote-access</STRONG></P> <P><STRONG>tunnel-group AnyConnect general-attributes</STRONG></P> <P><STRONG>&nbsp; default-group-policy AnyConnect_GrpPolicy</STRONG></P> Mon, 30 Apr 2018 07:44:40 GMT Marius Gunnerud 2018-04-30T07:44:40Z https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3374986#M960556 <P>We were using a split-tunnelling in our office. So users got office network and internet using their own home network. We need to use office network and internet using the office network.We need to monitor internet traffic also in Cisco ASA of VPN-users.</P> Fri, 21 Feb 2020 15:40:58 GMT https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3374986#M960556 vishnuvichu36601 2020-02-21T15:40:58Z https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3375022#M960557 <P>Just set up the AnyConnect VPN to tunnel all traffic then configure a dynamic NAT policy for outside to outside for the AnyConnect subnet.&nbsp; now you should be able to see the connections through the ASA.</P> Sun, 29 Apr 2018 09:39:09 GMT https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3375022#M960557 Marius Gunnerud 2018-04-29T09:39:09Z https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3375189#M960558 <PRE>nat (outside,outside) <STRONG>source static obj-AnyconnectPool obj-AnyconnectPool destination<BR /> static obj-AnyconnectPool obj-AnyconnectPool</STRONG></PRE> <P>this is the configuration you are talking about?turn off the split-tunelling and tunelling all.???? </P> Mon, 30 Apr 2018 03:03:22 GMT https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3375189#M960558 vishnuvichu36601 2018-04-30T03:03:22Z https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3375244#M960559 <P>No that is part of the configuration for hairpinning the VPN traffic out to the internet. in addition to this you need the command <STRONG>same-security-traffic permit intra-interface</STRONG></P> <P>&nbsp;</P> <P>For changing the configuration to tunnel-all you would need to change the group-policy configuration</P> <P><STRONG>group-policy AnyConnect_GrpPolicy internal</STRONG></P> <P><STRONG>group-policy AnyConnect_GrpPolicy attributes</STRONG></P> <P><STRONG>&nbsp; split-tunnel-policy tunnelall</STRONG></P> <P>&nbsp;</P> <P><STRONG>tunnel-group AnyConnect type remote-access</STRONG></P> <P><STRONG>tunnel-group AnyConnect general-attributes</STRONG></P> <P><STRONG>&nbsp; default-group-policy AnyConnect_GrpPolicy</STRONG></P> Mon, 30 Apr 2018 07:44:40 GMT https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3375244#M960559 Marius Gunnerud 2018-04-30T07:44:40Z https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3375270#M960560 <P>group-policy AnyConnect_GrpPolicy internal</P> <P>group-policy AnyConnect_GrpPolicy attributes</P> <P>&nbsp; split-tunnel-policy tunnelall</P> <P>&nbsp;</P> <P>tunnel-group AnyConnect type remote-access</P> <P>tunnel-group AnyConnect general-attributes</P> <P>&nbsp; default-group-policy AnyConnect_GrpPolicy</P> <P>&nbsp;</P> <P>After this we need to write a NAT policy for outside for VPN Network to access internal network and office internet without using Client home ISP</P> Mon, 30 Apr 2018 08:45:15 GMT https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3375270#M960560 vishnuvichu36601 2018-04-30T08:45:15Z https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3375271#M960561 <P>That is correct.&nbsp; Keep in mind that you also need the command <STRONG>same-security-traffic permit intra-interface</STRONG></P> Mon, 30 Apr 2018 08:48:52 GMT https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3375271#M960561 Marius Gunnerud 2018-04-30T08:48:52Z https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3376469#M960563 <P><STRONG>Current senario we configured "same-security-traffic permit inter-interface".Can we configure both in asa same-security-traffic permit inter and intra interface?<BR /></STRONG></P> <P><STRONG>Test plan is that.</STRONG></P> <P><STRONG>Create a new group-policy and applied tunnel all and do a dynamic nat for vpn subnet outside outside.Is this step ok for testing???please help</STRONG></P> Wed, 02 May 2018 08:53:50 GMT https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3376469#M960563 vishnuvichu36601 2018-05-02T08:53:50Z https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3376571#M960565 <P>you can have both same-security-traffic permit inter-interface and same-security-traffic permit intra-interface configured at the same time.</P> <P>&nbsp;</P> <P><STRONG>Create a new group-policy and applied tunnel all and do a dynamic nat for vpn subnet outside outside.Is this step ok for testing???</STRONG></P> <P>Yes, this plus the same-security-traffic permit intra-interface command will allow hairpinning for AnyConnect.</P> Wed, 02 May 2018 12:22:05 GMT https://community.cisco.com/t5/network-security/split-tunneling-question/m-p/3376571#M960565 Marius Gunnerud 2018-05-02T12:22:05Z