Hi all,
I'm using split tunneling for our corporate users - partly because it makes it easier to manage bandwidth and we aren't trying to be too restrictive, and partly because tunnel all does not work in my environment.
To make it quick, the default gateway for the large VLAN that most clients use ends in .254. The default route on that gateway goes out through a fw-inside VLAN, into the ASA, back out the ASA into a fw-outside VLAN, and then hits the first hop WAN provider through a VRF.
The issue I'm running into here is that when I force tunnel-all on a client profile, they can reach internal resources, but they are assigned a default gateway of .1 along with their pool DHCP allocation and I cannot see a way to change this. From what I've heard, there is no way to change this behavior. Due to this, these users cannot reach any resources on the Internet when connected to the VPN.
I have also read that you can enable same-security-traffic permit intra-interface and create an outside/outside dynamic NAT rule from the AnyConnect pool in question to the outside interface and this would solve my problem, but I'm unsure of the implications.
I know there are tons of posts about this, but I haven't been able to find anything that speaks to this situation specifically. Any help is appreciated.