Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
10
Helpful
5
Replies

Anyconnect users need internet access

cybergeek
Level 1
Level 1

‎05-11-2022 08:43 AM

Hello

Due to some business requirement we want to disable split tunnel and want all our anyconnnect vpn users to go through our corporate internet. We have already disabled the split tunneling for remote vpn users. now problem is that users can access the corp resources like servers etc. but they are not able to get to the internet. I would like to know if there is anything we need to change in anyconnnect settings in the firewall which can solve this problem. Please find attached the screenshot of our anyconnect vpn policy. 

Any help in this regards will be really helpful. 

 

Labels:
Preview file
43 KB
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎05-11-2022 08:47 AM

@cybergeek you will need to allow the traffic to hairpin using the command same-security-traffic permit intra-interface

And create a NAT rule for the VPN pool, the source and destination interface is the outside nameif.

 

object network RAVPN_USERS
 subnet 10.4.4.0 255.255.255.0
 nat (outside,outside) dynamic interface

 

 

cybergeek
Level 1
Level 1
In response to Rob Ingram

‎05-11-2022 09:10 AM

Hi Rob

Thanks a lot for your reply on this. I have only one concern implementing the config which you suggested to enable same-security-traffic permit intra-interface. i have a concern that if we will enable this then we might be running into the asymetric routing. and it is also not recommended from a security prospective because we have dmz network as well. is there any other way we can achieve this?

 

Thank you

0 Helpful

Rob Ingram
VIP
VIP
In response to cybergeek

‎05-11-2022 09:18 AM - edited ‎05-11-2022 09:21 AM

@cybergeek Not sure what concerns you'd have with the DMZ....but another option is to route the RAVPN traffic on to the next-hop inside core/wan switch, by defining a "tunneled" default route applicable to VPN traffic. Let it hairpin on the core/wan switch and route back via the ASA, the NAT source interface is inside then.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Rob Ingram

‎05-11-2022 09:21 AM

@Rob Ingram @cybergeek 

Just want to clear here something,

DMZ, are you use separate asa for vpn and this vpn asa is connect to dmz of edge asa ?.

0 Helpful
Customers Also Viewed These Support Documents