Anyconnect VPN config with Internet and LAN access

Psmurali89 · ‎01-13-2023

Hi

Am trying to configure Anyconnect VPN profile that allows user to access the all LAN subnets (behind the firewall) and also Internet access through the firewall.

I tried to enable split tunnel and configured ACL for all the LAN subnets behind the firewall but not sure whats required for Internet access through the firewall?

Do i need to configure U-Turn NAT for that VPN pool?

Source: VPN Pool

Destination: Any

NAT: Dynamic (PAT) and choose Outside interface IP of the firewall

Is the above NAT config allows internet access or am I still missing anything?

MHM Cisco World · ‎01-13-2023

Configure AnyConnect VPN Client U-turn Traffic on ASA 9.X - Cisco

check this guide,
config split with u-turn internet traffic

Psmurali89 · ‎01-13-2023

Thank you.

MHM Cisco World · ‎01-13-2023

If there is Q please ask here,

You can apply split with u-turn internet.

Psmurali89 · ‎01-13-2023

Sorry you mean I can enable split tunnelling and add ACL for all local LAN subnets also able to configure U-Turn NAT for Internet and users will be able to access both LAN and internet when connected to anyconnect?

Rob Ingram · ‎01-13-2023

@Psmurali89 You say enable split tunnel and add the ACL for the local LAN subnets.....but then the networks for the internet would not be tunneled through the VPN, they'd break out locally.

You can configure for split tunnel multiple ways, you can split include or split exclude networks or use dynamic split tunnel.

As per you initial request in the first post "allows user to access the all LAN subnets (behind the firewall) and also Internet access through the firewall." - then you'd not use split tunnel, you'd tunnel all traffic to the ASA/FTD and u-turn.

Psmurali89 · ‎01-13-2023

Thank you.

yes, ok so I will not enable split tunnel and configure U-Turn and check if I can access all LAN subnets behind the firewall and Internet through the firewall. I will update how it goes.

MHM Cisco World · ‎01-13-2023

the traffic of split/tunnel-all/u-turn can summary as following :-
1- split with u-turn
A- the client need to talk to other client in internet (both are anyconnect)
B- the client need to talk to Server in internet (client anyconenct and server is in different subnet )
2- tunnel-all wiht u-turn

A- the client need to talk to other client in internet (both are anyconnect)
B- the client need to talk to Server in internet (client anyconenct and server is in different subnet )

3- split wiht INTERENT
here the client can connect to ANY server/host in INTERNET using it public IP
and connect to inside ASA using it assign private IP

4- tunnel-all with INTERNET
here the client always send traffic to ASA whatever it go to inside or internet

so from above which one you want ??

Rob Ingram · ‎01-13-2023

@Psmurali89 if you want to access the internet through the firewall you'd want to tunnel allow traffic, so you wouldn't use split tunnel.

You need the command below to allow u-turn traffic

same-security-traffic permit intra-interface

And a NAT exemption rule to ensure traffic between the LAN networks and the RAVPN Pool is not unintentially translated.

nat (INSIDE,OUTSIDE) source static LAN LAN destination static RAVPN-POOL RAVPN-POOL

You need a dynamic PAT rule to allow the internet traffic for the RAVPN users.

object network RAVPN-POOL
 subnet 10.4.4.0 255.255.255.0
 nat (OUTSIDE,OUTSIDE) dynamic interface

Psmurali89 · ‎01-13-2023

Hi

Sorry you mean i should not enable split tunnel?

The first 2 steps you mentioned has been configured already.. I will configure U-NAT.

So as long as i configure U-NAT and not enable split tunnel, the users should be able to access all LAN subnets behind the firewall and also internet via the firewall?

Rob Ingram · ‎01-13-2023

@Psmurali89 correct, don't enable split tunnel.

Correct, you need U-NAT and to tunnel allow traffic over the VPN (by not enabling split-tunnel).

Psmurali89 · ‎01-13-2023

Thank you, I will try that today.