06-06-2017 03:26 PM - edited 02-21-2020 09:18 PM
I am trying to change my split tunnel (with internet access) into a full tunnel with internet hairpin so I can VPN into a remote ASA and go out to the internet through that ASA.
The ASA I am using is a 5506-x.
I have entered the tunnelall and same-security-traffic permit intra-interface.
I think my NAT config is where the issue is.
I want my traffic to go from VPN client to remote ASA and out to Modem -- Then to Internet with internet access.
VPN client with anyconnect [outside int(xx.xxx.xxx.245)
|
[vlan int of sw(10.20.30.1) Switch [outside int of sw(200.1.1.1) ------------ [inside int of asa(200.1.1.2) ASA [outside int of asa(xx.xxx.xxx.244) --------- Modem (xx.xxx.xx.241) -------- Internet
06-06-2017 07:02 PM
Hi Kaleem,
Try with the following configuration:
ciscoasa(config)# object network obj-Anyconnect-Pool
ciscoasa(config-network-object)# subnet 192.168.10.0 255.255.255.0 (replace with real network from the anyconnect users)
ciscoasa(config-network-object)# nat (outside,outside) dynamic interface
Regards,
Josue Brenes.
06-07-2017 04:01 PM
Hi Josue,
I have entered this NAT configuration, but I still don't have internet access. However, When I VPN from my outside VPN client, I am able to ssh into my ASA and use it.
06-07-2017 05:42 PM
Hi Kaleem,
What if you try with manual nat instead of object nat?
The config would be like this:
object network anyconnect_pool
subnet X.X.X.X X.X.X.X
nat (outside,outside) 1 source dynamic anyconnect_pool interface
Note: You must have the same-security-traffic permit intra-interface command
Regards,
Josue Brenes.
06-08-2017 04:22 PM
Hi Josue,
I've tried both of these NAT configurations and they don't work for me. Is there something I have to enable for the anyconnect user itself to allow that user to get to the internet? I have the NAT down, same-security-traffic permit intra-interface, and on my group policy for my anyconnect user, I have gave it tunnelall permission.
06-10-2017 08:01 AM
Hi Kaleem,
There is nothing to enable from the anyconnect itself.
Can you share me the full config so I can take a look?
Regards,
Josue Brenes.
06-12-2017 12:55 PM
06-13-2017 04:40 PM
Kaleem,
What is the name of the tunnel-group you are using?
Regards,
Josue Brenes,
06-15-2017 01:55 PM
cp1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide