We have many employees now working from home and connecting to the VPN (using Cisco AnyConnect). We are running ASA version 9.8. We have blocked split tunneling.
Typical VPN usage is to access internal applications and file servers. However, with so many folks at home complaining about having to disconnect the VPN to access the Internet, we are considering hairpinning. My concern is that all VPN sessions are coming in through a 10m data circuit and bandwidth utilization is very high. If we allow hairpinning of Internet traffic through the same firewall interface, will I see a degradation of performance on the VPN because of additional bandwidth utilization? Also, could there be a performance hit on the ASA device with all of the NAT'ing work?
Thanks in advance for your counsel.
With the given parameters, if you have a problem, is gonna be BW related, not ASA performance related.
Thank you for your reply. So I should expect to see higher circuit utilization (and potential performance degradation) with Internet traffic coming in and out the same interface, correct?
What you add now, is ingress/egress Internet traffic on that interface for the VPN users. If you don't want to risk a possible scenario were everything perfumes poorly, do the following:
- consider taking into account split-tunnelling; if this is not an option, see below
- monitor the ASA's egress interface to see what is the PEAK BW you get with the current settings, move over just couple of users to the new VPN with also Internet access, see via monitoring what is the growth; afterwards you'll be able to predict if you have enough BW or not to accommodate all of your users
What is the ASA HW model?