Solved: Hi,

S.ashok S · ‎04-20-2016

Hi,

I have configured AnyConnect VPN with split tunneling, so my internal networks are tunneled and getting internet directly (not via internal network).

But we want to access one of the public IP address (8.8.8.8) through AnyConnect VPN tunnel.

When we check packet capture on outside interface, trying to ping 8.8.8.8 showing icmp-request packet but not getting icmp-reply packet.

Any additional configure required to get access the above ip address through tunnel?

We have enabled the below configuration as well.

same-security-traffic permit intra-interface

same-security-traffic permit inter-interface

Kindly find the capture details below: 192.168.18.71 is my AnyConnect system ip from VPN pool.

access-list 114 extended permit ip host 192.168.18.71 host 8.8.8.8
access-list 115 extended permit ip host 8.8.8.8 host 192.168.18.71

capture outbound interface inside access-list 114
capture inbound interface inside access-list 115

XXX-ASA(config)# show capture outbound

1: 22:13:24.001800 192.168.18.71 > 8.8.8.8: icmp: echo request
2: 22:13:28.986139 192.168.18.71 > 8.8.8.8: icmp: echo request
3: 22:13:33.970561 192.168.18.71 > 8.8.8.8: icmp: echo request
4: 22:13:38.971156 192.168.18.71 > 8.8.8.8: icmp: echo request
5: 22:13:44.080058 192.168.18.71 > 8.8.8.8: icmp: echo request
5 packets shown
XXX-ASA(config)#
XXX-ASA(config)#
XXX-ASA(config)# show capture inbound

0 packet captured

0 packet shown
XXX-ASA(config)# show capture inbound

0 packet captured

0 packet shown

Kindly help us to resolve the issue.

Thanks and regards,

Ashok

Philip D'Ath · ‎04-22-2016

I like using object NAT notation instead. So perhaps try:

object network obj-192.168.18.0
  nat (outside,outside) dynamic interface

View solution in original post

Philip D'Ath · ‎04-21-2016

If you configure 8.8.8.8 as part of the split tunnel list then you also need to configure NAT for traffic from the VPN range to 8.8.8.8 on the outside interface to the outside interface to NAT to a public IP address that you have.

It's a bit messy to do.

S.ashok S · ‎04-21-2016

Hi,

Thank you for your reply.

We have configured NAT for inside any to outside on interface ip address.

My AnyConnect pool is also from one of the inside subnet.

My inside subnet is 192.168.18.0 and they are able to access 8.8.8.8.

My VPN pool is also 192.168.18.0 but these pool of people are not able to access 8.8.8.8 from VPN client machine.

Could you please elaborate the procedure with example.

Thanks and regards,

Ashok

Philip D'Ath · ‎04-21-2016

You need to configure nat for outside->outside (since the VPN traffic comes in on the outside interface and goes back out on the outside interface for web browsing) for 192.168.18.0/24 to any.

If you are still stuck then post your current NAT configuration please.

S.ashok S · ‎04-21-2016

Hi,

The below is my NAT entry

nat (outside,outside) source static obj-192.168.18.0 interface dns

When we add the above NAT rule then AnyConnect VPN clients are not able to connect to my FW outside IP address.

Thanks and regards,

Ashok

Philip D'Ath · ‎04-22-2016

I like using object NAT notation instead. So perhaps try:

object network obj-192.168.18.0
  nat (outside,outside) dynamic interface

S.ashok S · ‎04-22-2016

Hi,

Thank you very much for your help. It is working now after we configured object NAT as suggested by you.

Thanks and regards,

Ashok