Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2624
Views
0
Helpful
8
Replies

AnyConnect VPN full tunnel with internet access

Kaleem Sheikh
Level 1
Level 1

‎06-06-2017 03:26 PM - edited ‎02-21-2020 09:18 PM

I am trying to change my split tunnel (with internet access) into a full tunnel with internet hairpin so I can VPN into a remote ASA and go out to the internet through that ASA. 

The ASA I am using is a 5506-x.

I have entered the tunnelall and same-security-traffic permit intra-interface.

I think my NAT config is where the issue is.

I want my traffic to go from VPN client to remote ASA and out to Modem -- Then to Internet with internet access.

VPN client with anyconnect [outside int(xx.xxx.xxx.245)

|

[vlan int of sw(10.20.30.1) Switch [outside int of sw(200.1.1.1) ------------ [inside int of asa(200.1.1.2) ASA [outside int of asa(xx.xxx.xxx.244) --------- Modem (xx.xxx.xx.241) -------- Internet

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Josue Brenes
Cisco Employee
Cisco Employee

‎06-06-2017 07:02 PM

Hi Kaleem,

Try with the following configuration:

ciscoasa(config)# object network obj-Anyconnect-Pool
ciscoasa(config-network-object)# subnet 192.168.10.0 255.255.255.0 (replace with real network from the anyconnect users)
ciscoasa(config-network-object)# nat (outside,outside) dynamic interface

Regards,
Josue Brenes.

0 Helpful

Kaleem Sheikh
Level 1
Level 1
In response to Josue Brenes

‎06-07-2017 04:01 PM

Hi Josue,

I have entered this NAT configuration, but I still don't have internet access. However, When I VPN from my outside VPN client, I am able to ssh into my ASA and use it.

0 Helpful

Josue Brenes
Cisco Employee
Cisco Employee
In response to Kaleem Sheikh

‎06-07-2017 05:42 PM

Hi Kaleem,

What if you try with manual nat instead of object nat?

The config would be like this:

object network anyconnect_pool

 subnet X.X.X.X X.X.X.X

nat (outside,outside)  1 source dynamic anyconnect_pool interface

Note: You must have the same-security-traffic permit intra-interface command

Regards,
Josue Brenes.

0 Helpful

Kaleem Sheikh
Level 1
Level 1
In response to Josue Brenes

‎06-08-2017 04:22 PM

Hi Josue, 

I've tried both of these NAT configurations and they don't work for me. Is there something I have to enable for the anyconnect user itself to allow that user to get to the internet? I have the NAT down, same-security-traffic permit intra-interface, and on my group policy for my anyconnect user, I have gave it tunnelall permission.

0 Helpful

Josue Brenes
Cisco Employee
Cisco Employee
In response to Kaleem Sheikh

‎06-10-2017 08:01 AM

Hi Kaleem,

There is nothing to enable from the anyconnect itself.

Can you share me the full config so I can take a look?

Regards,
Josue Brenes.

0 Helpful

Kaleem Sheikh
Level 1
Level 1
In response to Josue Brenes

‎06-12-2017 12:55 PM

There's a lot of extra stuff in there, but this is the whole config.

Preview file
26 KB
0 Helpful

Josue Brenes
Cisco Employee
Cisco Employee
In response to Kaleem Sheikh

‎06-13-2017 04:40 PM

Kaleem,

What is the name of the tunnel-group you are using?

Regards,

Josue Brenes,

0 Helpful

Kaleem Sheikh
Level 1
Level 1
In response to Josue Brenes

‎06-15-2017 01:55 PM

cp1

0 Helpful
Customers Also Viewed These Support Documents