AnyConnect Tunnel All Configuration

mvneteng · ‎03-02-2018

Hi all,

I'm using split tunneling for our corporate users - partly because it makes it easier to manage bandwidth and we aren't trying to be too restrictive, and partly because tunnel all does not work in my environment.

To make it quick, the default gateway for the large VLAN that most clients use ends in .254. The default route on that gateway goes out through a fw-inside VLAN, into the ASA, back out the ASA into a fw-outside VLAN, and then hits the first hop WAN provider through a VRF.

The issue I'm running into here is that when I force tunnel-all on a client profile, they can reach internal resources, but they are assigned a default gateway of .1 along with their pool DHCP allocation and I cannot see a way to change this. From what I've heard, there is no way to change this behavior. Due to this, these users cannot reach any resources on the Internet when connected to the VPN.

I have also read that you can enable same-security-traffic permit intra-interface and create an outside/outside dynamic NAT rule from the AnyConnect pool in question to the outside interface and this would solve my problem, but I'm unsure of the implications.

I know there are tons of posts about this, but I haven't been able to find anything that speaks to this situation specifically. Any help is appreciated.

Rahul Govindan · ‎03-02-2018

I do not think the default gateway on the VPN client matters here. Once you set traffic to tunnel-all, all traffic is encrypted up until the ASA (outside interface). When decrypted, the ASA does a route lookup for the traffic and sends it out via the right interface. For internet traffic, you need to have some sort of NAT and the same-security-traffic command to be able to reach the internet. An example to do this is documented here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html#anc6

Share a sanitized version of your config on this thread if possible.