ā04-20-2016 11:34 PM - edited ā02-21-2020 08:47 PM
Hi,
I have configured AnyConnect VPN with split tunneling, so my internal networks are tunneled and getting internet directly (not via internal network).
But we want to access one of the public IP address (8.8.8.8) through AnyConnect VPN tunnel.
When we check packet capture on outside interface, trying to ping 8.8.8.8 showing icmp-request packet but not getting icmp-reply packet.
Any additional configure required to get access the above ip address through tunnel?
We have enabled the below configuration as well.
same-security-traffic permit intra-interface
same-security-traffic permit inter-interface
Kindly find the capture details below: 192.168.18.71 is my AnyConnect system ip from VPN pool.
access-list 114 extended permit ip host 192.168.18.71 host 8.8.8.8
access-list 115 extended permit ip host 8.8.8.8 host 192.168.18.71
capture outbound interface inside access-list 114
capture inbound interface inside access-list 115
XXX-ASA(config)# show capture outbound
1: 22:13:24.001800 192.168.18.71 > 8.8.8.8: icmp: echo request
2: 22:13:28.986139 192.168.18.71 > 8.8.8.8: icmp: echo request
3: 22:13:33.970561 192.168.18.71 > 8.8.8.8: icmp: echo request
4: 22:13:38.971156 192.168.18.71 > 8.8.8.8: icmp: echo request
5: 22:13:44.080058 192.168.18.71 > 8.8.8.8: icmp: echo request
5 packets shown
XXX-ASA(config)#
XXX-ASA(config)#
XXX-ASA(config)# show capture inbound
0 packet captured
0 packet shown
XXX-ASA(config)# show capture inbound
0 packet captured
0 packet shown
Kindly help us to resolve the issue.
Thanks and regards,
Ashok
Solved! Go to Solution.
ā04-22-2016 12:43 AM
I like using object NAT notation instead. So perhaps try:
object network obj-192.168.18.0
nat (outside,outside) dynamic interface
ā04-21-2016 01:24 AM
If you configure 8.8.8.8 as part of the split tunnel list then you also need to configure NAT for traffic from the VPN range to 8.8.8.8 on the outside interface to the outside interface to NAT to a public IP address that you have.
It's a bit messy to do.
ā04-21-2016 05:58 AM
Hi,
Thank you for your reply.
We have configured NAT for inside any to outside on interface ip address.
My AnyConnect pool is also from one of the inside subnet.
My inside subnet is 192.168.18.0 and they are able to access 8.8.8.8.
My VPN pool is also 192.168.18.0 but these pool of people are not able to access 8.8.8.8 from VPN client machine.
Could you please elaborate the procedure with example.
Thanks and regards,
Ashok
ā04-21-2016 01:39 PM
You need to configure nat for outside->outside (since the VPN traffic comes in on the outside interface and goes back out on the outside interface for web browsing) for 192.168.18.0/24 to any.
If you are still stuck then post your current NAT configuration please.
ā04-21-2016 10:59 PM
Hi,
The below is my NAT entry
nat (outside,outside) source static obj-192.168.18.0 interface dns
When we add the above NAT rule then AnyConnect VPN clients are not able to connect to my FW outside IP address.
Thanks and regards,
Ashok
ā04-22-2016 12:43 AM
I like using object NAT notation instead. So perhaps try:
object network obj-192.168.18.0
nat (outside,outside) dynamic interface
ā04-22-2016 01:49 AM
Hi,
Thank you very much for your help. It is working now after we configured object NAT as suggested by you.
Thanks and regards,
Ashok
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide