05-11-2022 08:43 AM
Hello
Due to some business requirement we want to disable split tunnel and want all our anyconnnect vpn users to go through our corporate internet. We have already disabled the split tunneling for remote vpn users. now problem is that users can access the corp resources like servers etc. but they are not able to get to the internet. I would like to know if there is anything we need to change in anyconnnect settings in the firewall which can solve this problem. Please find attached the screenshot of our anyconnect vpn policy.
Any help in this regards will be really helpful.
05-11-2022 08:47 AM
@cybergeek you will need to allow the traffic to hairpin using the command same-security-traffic permit intra-interface
And create a NAT rule for the VPN pool, the source and destination interface is the outside nameif.
object network RAVPN_USERS
subnet 10.4.4.0 255.255.255.0
nat (outside,outside) dynamic interface
05-11-2022 09:10 AM
Hi Rob
Thanks a lot for your reply on this. I have only one concern implementing the config which you suggested to enable same-security-traffic permit intra-interface. i have a concern that if we will enable this then we might be running into the asymetric routing. and it is also not recommended from a security prospective because we have dmz network as well. is there any other way we can achieve this?
Thank you
05-11-2022 09:18 AM - edited 05-11-2022 09:21 AM
@cybergeek Not sure what concerns you'd have with the DMZ....but another option is to route the RAVPN traffic on to the next-hop inside core/wan switch, by defining a "tunneled" default route applicable to VPN traffic. Let it hairpin on the core/wan switch and route back via the ASA, the NAT source interface is inside then.
05-11-2022 09:21 AM
Just want to clear here something,
DMZ, are you use separate asa for vpn and this vpn asa is connect to dmz of edge asa ?.
05-11-2022 09:03 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide