Re: Anyconnect VPN Configuration Question

packetintransit · ‎10-25-2019

Hi lads,

I have question regarding how to setup particular thing on ASA5515 for Anyconnect VPN Clients running 4.8 v.

Attached draft drawing of current network topology. So, task is to have all Anyconnect VPN clients to use Cisco2901 to access internet.

ASA is being used for VPN and it is connected to internal network via gi0/0 172.17.7.9/24

VPN Pool is: 10.17.17.5-10.17.17.25/24

When i configure split tunnel to secure 172.17.7.0/24 eventually clients are able to access internet via local wifi connection while on VPN.

But as task requires all traffic should flow through tunnel and clients can access internal resources and internet via Cisco 2901.

thank you

Batu

Marius Gunnerud · ‎10-27-2019

How is your dynamic NAT for internet configured? are you matching on "any" interface? If not then you can do this by just NAT exempt between internal and VPN network. If you have a dynamic NAT that will also match VPN users, you can configure VPN filtering on in the group-policy that is assigned to the AnyConnect VPN users. Configure the ACL to only allow traffic between the VPN users and internal network.

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎10-29-2019

What device is doing the NAT for internet traffic? The 2901? If that is the case you can tunnel all traffic for AnyConnect and add the route command route inside 0.0.0.0 0.0.0.0 172.17.7.1 tunneled

Just make sure that routing back to the AnyConnect subnet is in place on the 2901.

--
Please remember to select a correct answer and rate helpful posts