Hi, We have a Cisco ASA 5500 series Firewall where our employees connect via Cisco Anyconnect. Since then we used Split-Tunneling so our employees can connect to cloud based enterprise application without passing though our main link. However just recently we have another cloud base solution, this time it only allow one IP Address to connect to it. We put our external public gateway, it worked for employees in the office, but this solution is not working for employees that are around the world and always mobile. How can I force VPN clients to use our public gateway to access this cloud base solution, without removing the split-tunnel policy? I already put the exempt policy for the IP address but the routing stops in our Firewall. Any sample config will be very helpful and how to approach it. Thank you,
You need to add the destination IP address of the new service into the split tunnel list. You need need to configure the asa to nat this for (outside,outside) to your external public IP address that you want web browsing to come from, and you may need to create an access rule to allow this (the firewall logs are likely to tell you the answer).
Can you help with the an example. Just to put what you suggested in a configuration is this right?
Ex. Public IP: 188.8.131.52 (Public_IP)
VPN IP pool: 192.168.252.0/24
External IP: 184.108.40.206
* To include in the split-tunnel list
access-list vpnssl-split extended permit ip 220.127.116.11 255.255.255.255 192.168.252.0 255.255.255.0
* nat this for (outside,outside)
static (outside,outside) 18.104.22.168 22.214.171.124 netmask 255.255.255.255
* to create an access rule
access-list outsite_acl extended permit tcp any object-group Public_IP