You can ask your question on your own language:
Here’s your chance to discuss Cisco Secure Remote Working technologies such as AnyConnect, ASA, FTD, Duo, and Umbrella. In this session, the experts will answer questions about emergency licenses, design, configuration, and troubleshooting. Our experts span more than 12 time zones. Also, we’ll be translating the session into multiple languages to provide you with the best experience possible.
This forum event works well as an introduction for those who are not familiar with these security solutions and/or have recently started using them.
To participate in this event, please use the button below to ask your questions
Ask questions from Friday, March 20 to Friday, April 3, 2020
Divya Nair is a Technical Marketing Engineer with the Security Business Group in Raleigh, North Carolina. She has more than 10 years of experience in Cisco network security technologies, including firewalls, IPS, VPN, and AAA; and is currently focusing on VPN and firewall management platforms. Divya holds a Bachelor's degree in Computer Science and Engineering.
**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
I assume it's an ASA.
You would need the following commands to gain internet access.
We need to hairpin traffic for Anyconnect users.
same-security-traffic permit intra-interface
object network obj-AnyconnectPool
nat (outside,outside) dynamic interface
where obj-AnyconnectPool is the Anyconnect Pool network
TunnelAll means the traffic has to reach the headend (ASA) and from there we are routing the traffic (with the use of Dynamic PAT on the outside interface) to the internet.
You would need a reverse-route (for the pool) on the downstream device.
Something like this:
ip route x.x.x.x mask <ASA inside interface IP>
I am already using that NAT for inside access - how do allow the IP pool for AnyConnect to be allowed to the internet via the headend device.
The client connects to AnyConnect- receives and IP address from the AnyConnect IP pool.
with the NAT below they can reach internal networks but NOT the INTERNET. [I replaced the "any " with an internal object group.]
nat (inside,outside) source static any any destination static obj-Anyconnect obj-Anyconnect
What EXACTLY is needed to allow that AnyConnect IP pool to ALSO go to the internet? Because this NAT is not allowing the client out to the internet???
The following guide details all the steps you need to achieve this: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html
Please have a look and let us know if you have any questions.