Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
414
Views
5
Helpful
1
Replies

ASA-5525 Anyconnect VPN: "Split-tunnel included" www traffic path...

Go to solution
jmaxwellUSAF
VIP
VIP

‎02-27-2023 02:31 PM

Hello.

In the most standard vanilla ASA-5525 split tunnel config, and also routing config...

when a www IP-address is added to the split-tunnel ACL, does that traffic hairpin out of the ASAs outside interface to the www, or does it traverse the LAN to different gateway?

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-27-2023 02:39 PM - edited ‎02-27-2023 11:58 PM

@jmaxwellUSAF both options are achievable.

You'd need to allow the traffic to hairpin with the command "same-security-traffic permit intra-interface" and create an auto nat rule with the source and destination interface of the outside interface.

To route via another another gateway, define a static route and append the keyword tunneled, this route would apply to decrypted vpn traffic only. Example: "route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled"

View solution in original post

1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎02-27-2023 02:39 PM - edited ‎02-27-2023 11:58 PM

@jmaxwellUSAF both options are achievable.

You'd need to allow the traffic to hairpin with the command "same-security-traffic permit intra-interface" and create an auto nat rule with the source and destination interface of the outside interface.

To route via another another gateway, define a static route and append the keyword tunneled, this route would apply to decrypted vpn traffic only. Example: "route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled"

Customers Also Viewed These Support Documents