I currently have a remote "VPN on a stick" configuration setup on an ASA's "outside" interface that provides access to 2 networks on the same side. Hosts are setup in a split tunnel configuration so that only the 134.23/16 and 166.43/16 network traffic is sent to the VPN. Example: (IPs changed) (PRIVATE) -- ASA --router------------------- (Internet) ---- Host (any ip) (anyconnect) | |------ 184.108.40.206/16 | |------ 220.127.116.11/16 ------- | router | ---------18.104.22.168/24----- | | ------ Host (22.214.171.124) (anyconnect) Tunnel access-list: access-list tunnel standard permit 126.96.36.199 255.255.0.0 access-list tunnel standard permit 188.8.131.52 255.255.0.0 Even though users can connect from the Internet, the configuration does not provide access to the Internet from the VPN (only access to the two other networks). The problem is that if a host connects from one of the two networks allowed by the VPN but from a "more specific" subnet in that network the client will follow normal routing rules and not pass traffic through the VPN because the prefix length is longer on the 166.43.1/24 subnet. I am able to add the following configuration to the tunnel to force traffic trough the VPN, but this would have to be done for all subnets with a larger prefix than the first two. access-list tunnel standard permit 184.108.40.206 255.255.255.0 Is there a way to have the VPN anyconnect client force traffic destined for a network regardless on a more specific route that may exist on the client's machine? (This is done so that the traffic is encypted, even if the client can connect to the desired machine without the VPN) Thanks!
... View more