Currently I am using an AnyConnect VPN (split tunnel) for remote access.
This works great.
However I would like to change this VPN to full tunnel mode.
I already tried configuring it without any problem, it's also working, except one thing, to have internet access while having a full tunnel AnyConnect session.
I was expecting the internet traffic to be routed over the tunnel, and go out on the remote side to the internet, but this requires additional configuration.
Does anybody know how to configure an internet breakout using AnyConnect full tunnel mode?
What exactly do you mean by internet breakout? If you are looking to u-turn the traffic from the other side then you can check out the following guide:
While this was originally written for IPSEC, it shouldn't be too different for Anyconnect.
Actually, yes I mean U turning the traffic, however the commands in the mentioned documentation are not available using IOS SSLVPN.
On a router if you have natting enabled for the traffic and a default route as well then you shouldn't have any problems in u-turning the traffic. U-turning is only required on ASAs which have security policies in place that would otherwise drop the traffic. Can you paste the configuration on your gateway?
Actually I placed the VPN users within the same subnet as the normal users, which means when normal users can access internet, things like default gateway as well as NAT are configured the right way.
I'm going to check on the other reactions.
I assume that you are using the ASA as vpn server.
You would require to nat the traffic sourcing from the vpn pool subnet to the outside interface ip address( pat). Also the command same-security permit intra-interface is required.
global(outside) 1 interface ( u should already be having this for internet traffic for lan)
same-security permit intra-interface
I've recently written about it:
Webvpn supports VTI configuration in newer IOS releases.
Thanks for your reply, I did some decent searching on anyconnect, and some related keywords, but didn't find your post.
Can you please indicate in which IOS version this feature was introduced?
I am using advipservicesk9-mz.124-24.T3.bin myself.
Indeed my post was meant to highlist benefits for IPSec and not specific to webvpn ;-)
I believe the functionality has been introduced with 12.4.20T and onwards where new CEF code was introduced, but I can't find the exact release.
Tha being said 12.4(24)T is the last software train in 12.4T and it should contain all features in config guide.
I changed the config with the information you provided, but it isn't working for me so far.
Hopefully you can help me a bit.
I have a 877W with an ATM interface as WAN interface (ASDL), which is configured under ATM0.1
As stated in the docs I created the following interface:
I only tested this feature intially when introduced ... so my recollections are vague at best ;-)
How this is supposed to work (AFAIR) is to spawn virtual-access interfaces from virtual template, I'm not sure if it's technially necessary for virtual-template interface to be up/up.
That being said ... let's see "show webvpn context NAME_HERE" to verify if template is applied there.
I'm actually starting to think if I didn't sell you false hope ... I did a quick search in feature navigator and offically I see support in platforms starting from 18xx and in 15.1T (and on). Oddly enough the config guide from 12.4T contains VTI support without restrictions.
Actually the Virtual-Template is stated when issueing the show webvpn context [name] command.
router#sh webvpn context router
Admin Status: up
Operation Status: up
Error and Event Logging: Disabled
CSD Status: Disabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List: default
AAA Authorizationtion List not configured
AAA Authentication Domain not configured
Default Group Policy: sslpolicy
Associated WebVPN Gateway: router
Domain Name and Virtual Host not configured
Maximum Users Allowed: 2
NAT Address not configured
VRF Name not configured
Virtual Template: 1
Odd, but if no virtual-access is spawned, well I guess you could open a TAC case to make sure this is supported on this particular platform version.
In the meantime, we could try the the old way, loopback interface with "ip nat inside" applied and send all traffic from VPN to it.
Did you add the Virtual Template \ Or Made changes to the virtual-template 'after' defining it under the webvpn context ?
If you did then please remove the "virtual-template"command from under the webvpn config and then re-add it again.
Also the Virtual-Template will always stay down, it will be a virtual-access interface that you should be seeing Up in "show ip interface brief" command.