- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2018 09:30 PM - edited 02-21-2020 07:40 AM
We were using a split-tunnelling in our office. So users got office network and internet using their own home network. We need to use office network and internet using the office network.We need to monitor internet traffic also in Cisco ASA of VPN-users.
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2018 02:39 AM
Just set up the AnyConnect VPN to tunnel all traffic then configure a dynamic NAT policy for outside to outside for the AnyConnect subnet. now you should be able to see the connections through the ASA.
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2018 02:39 AM
Just set up the AnyConnect VPN to tunnel all traffic then configure a dynamic NAT policy for outside to outside for the AnyConnect subnet. now you should be able to see the connections through the ASA.
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2018 08:03 PM
nat (outside,outside) source static obj-AnyconnectPool obj-AnyconnectPool destination
static obj-AnyconnectPool obj-AnyconnectPool
this is the configuration you are talking about?turn off the split-tunelling and tunelling all.????
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2018 12:44 AM
No that is part of the configuration for hairpinning the VPN traffic out to the internet. in addition to this you need the command same-security-traffic permit intra-interface
For changing the configuration to tunnel-all you would need to change the group-policy configuration
group-policy AnyConnect_GrpPolicy internal
group-policy AnyConnect_GrpPolicy attributes
split-tunnel-policy tunnelall
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
default-group-policy AnyConnect_GrpPolicy
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2018 01:45 AM
group-policy AnyConnect_GrpPolicy internal
group-policy AnyConnect_GrpPolicy attributes
split-tunnel-policy tunnelall
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
default-group-policy AnyConnect_GrpPolicy
After this we need to write a NAT policy for outside for VPN Network to access internal network and office internet without using Client home ISP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2018 01:48 AM
That is correct. Keep in mind that you also need the command same-security-traffic permit intra-interface
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2018 01:53 AM
Current senario we configured "same-security-traffic permit inter-interface".Can we configure both in asa same-security-traffic permit inter and intra interface?
Test plan is that.
Create a new group-policy and applied tunnel all and do a dynamic nat for vpn subnet outside outside.Is this step ok for testing???please help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2018 05:22 AM
you can have both same-security-traffic permit inter-interface and same-security-traffic permit intra-interface configured at the same time.
Create a new group-policy and applied tunnel all and do a dynamic nat for vpn subnet outside outside.Is this step ok for testing???
Yes, this plus the same-security-traffic permit intra-interface command will allow hairpinning for AnyConnect.
Please remember to select a correct answer and rate helpful posts
