cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
441
Views
5
Helpful
1
Replies

ASA-5525 Anyconnect VPN: "Split-tunnel included" www traffic path...

Hello.

In the most standard vanilla ASA-5525 split tunnel config, and also routing config...

when a www IP-address is added to the split-tunnel ACL, does that traffic hairpin out of the ASAs outside interface to the www, or does it traverse the LAN to different gateway?

Thank you.

1 Accepted Solution

Accepted Solutions

@jmaxwellUSAF both options are achievable.

You'd need to allow the traffic to hairpin with the command "same-security-traffic permit intra-interface" and create an auto nat rule with the source and destination interface of the outside interface.

To route via another another gateway, define a static route and append the keyword tunneled, this route would apply to decrypted vpn traffic only. Example: "route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled"

View solution in original post

1 Reply 1

@jmaxwellUSAF both options are achievable.

You'd need to allow the traffic to hairpin with the command "same-security-traffic permit intra-interface" and create an auto nat rule with the source and destination interface of the outside interface.

To route via another another gateway, define a static route and append the keyword tunneled, this route would apply to decrypted vpn traffic only. Example: "route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled"