Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5893
Views
0
Helpful
1
Replies

AnyConnect Tunnel All Configuration

mvneteng
Level 1
Level 1

‎03-02-2018 08:44 AM - edited ‎02-21-2020 07:27 AM

Hi all,

I'm using split tunneling for our corporate users - partly because it makes it easier to manage bandwidth and we aren't trying to be too restrictive, and partly because tunnel all does not work in my environment.

 

To make it quick, the default gateway for the large VLAN that most clients use ends in .254. The default route on that gateway goes out through a fw-inside VLAN, into the ASA, back out the ASA into a fw-outside VLAN, and then hits the first hop WAN provider through a VRF.

 

The issue I'm running into here is that when I force tunnel-all on a client profile, they can reach internal resources, but they are assigned a default gateway of .1 along with their pool DHCP allocation and I cannot see a way to change this. From what I've heard, there is no way to change this behavior. Due to this, these users cannot reach any resources on the Internet when connected to the VPN.

 

I have also read that you can enable same-security-traffic permit intra-interface and create an outside/outside dynamic NAT rule from the AnyConnect pool in question to the outside interface and this would solve my problem, but I'm unsure of the implications.

 

I know there are tons of posts about this, but I haven't been able to find anything that speaks to this situation specifically. Any help is appreciated.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-02-2018 11:06 AM

I do not think the default gateway on the VPN client matters here. Once you set traffic to tunnel-all, all traffic is encrypted up until the ASA (outside interface). When decrypted, the ASA does a route lookup for the traffic and sends it out via the right interface. For internet traffic, you need to have some sort of NAT and the same-security-traffic command to be able to reach the internet. An example to do this is documented here:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html#anc6

 

Share a sanitized version of your config on this thread if possible. 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card