cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
619
Views
10
Helpful
5
Replies

AnyConnect connect to internet via ASA

i716
Level 1
Level 1

I know that there are quite a few discussions about this topic and I have read most of them. Unfortunately none of them seems to work so I will ask the question again.

 

I have an ASA at home which serves both as a router for my broadband connection and a VPN device.

The setup is as like this:

 

Two interfaces, inside and outside, outside gets the IP via PPPoE from the ISP. Inside via DHCP. A certain range of that is allocated for VPN access, let's call it 192.168.1.10 - 192.168.1.20

Needless to say that VPN is setup as well.

 

Now if I connect the internet from my laptop via mobile phone, I can access my home LAN. I can access all servers, printers, TV, etc. There are no issues here.

But if I try to open a website on my laptop while it is connected to VPN, it won't work.

(Workaraound at the moment is to RDP to a computer running on the LAN and access the internet from there)

 

My idea behind this is that when I'm traveling and use public WiFi, I would like to connect not only to my LAN, but also have all internet traffic routed over my home connection. 

I was in the believe that my laptop, which became a device on my LAN after VPN connection, would have the same privileges as the other devices on the LAN. As I said above, it can communicate with all devices on the LAN, but it can not establish a connection to the internet.

 

After reading a few threads on here, there were two terms that I came across:

-split tunnel

-hair pinning

Regarding the "split tunnel", that is not what I am looking for. All traffic from the Laptop should go over VPN. "Hair pinning", as in enabling the checkbox "Enable traffic between two or more interfaces which are configured with the same security levels" simply doesn't work.

 

Is there no way to achieve this? I would prefer ASDM over CLI and it would be nice if there was a way which doesn't involve creating ACLs or similar. Thanks in advance for your help.

5 Replies 5

1) For hair-pinning, it is the other check-box. You need to allow traffic entering and exiting the same interface:

same-security-traffic permit intra-interface

2) Do you have a nat-rule for traffic from outside to outside?

nat (outside,outside) after-auto source dynamic any interface

 

Hello Karsten,

Thank you for your reply. I have tried both check boxes but unfortunately none of them work.

How can I implement your second suggestion via the ASDM?

In the NAT-rules, add a new rule "after object network NAT":

- source-int: outside

- dest-int: outside

- NAT type: Dynamic NAT hide

- Source Address: Interface outside

Hi

The split tunneling is used to indicate which subnets are known via the VPN only, now other function is separte the Internet flow for example:

 

You could have Internet access via the VPN using the home Internet but for experiences it is not recommended, my suggestion is when you are connected to the VPN through a public Internet you should have access to the LANs behind the firewall only and the Internet access should be the public Internet where are you connecting so the traffic is separated.

 

Now in order to provide Internet access via the VPN tunnel you should allow the VPN pool into the NAT and create the ACLs as well.

 

As I remember there are 2 ways to configure split tunnelling: one allowing everything through the tunnel and other specifying what you will be reaching only. Try with enabling: 

 

split-tunnel-policy tunnelall

 

Please visit this website:

https://kostya.ws/projects/networking/cisco/asa-split-tunneling/

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hi,

 

you can to configure Split Tunnel Policy and chose Tunnel Network List Below. It's an example from Cisco Systems:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100936-asa8x-split-tunnel-anyconnect-config.html

 

Best regards

Review Cisco Networking for a $25 gift card