05-17-2011 09:27 AM
Hi,
Sorry if this config is a mess...I'm not a network guy by trade, but trying to set up my ASA to allow for people to VPN into my lab environment using their AnyConnect client. It appears I can get split tunneling to work, but nothing I do can allow for always tunnel. Since this is a three-leg firewall and not a concentrator, I believe this is called hairpinning? I've looked at what sparse examples there are on the web and still can't get it to work. Any suggestions anybody could provide would be really helpful.
Thanks in advance!
-AC
05-18-2011 12:46 AM
Sorry, do you mean that once connected, you can access the Internet, however, you are not able to access anything in the internal network?
The following NAT statement is incorect, and you might want to remove the following:
nat (inside,any) source static obj-192.168.3.0 obj-192.168.3.0 destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,any) source static any any destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.3.0_27 NETWORK_OBJ_192.168.3.0_27
and replace them with the following:
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
nat (dmz,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.3.0 obj-192.168.3.0
Then "clear xlate" after the above changes.
Hope that helps.
05-26-2011 12:09 PM
Hi Jen,
Thanks so much for your reply. I can connect to devices on the internal network just fine, but what I want to do is force all traffic to go through the VPN tunnel. At the moment, its defaulting to split tunneling.
I've tried your nat commands below and that doesn't seem to fix the issue. Is there anything else you would suggest?
Thanks again,
Art
05-26-2011 12:18 PM
Also, if it helps, I think I found a part of the problem. Under the group policy -> advanced -> Split Tunneling -> Policy menu, I didn't have the "Tunnel All Networks" checked. When I switch to this setting, I can't seem to get out to the Internet at all when connected through VPN. Do I need to create a static route in order to get out?
05-26-2011 02:48 PM
Nevermind, got it. The commands below fixed it for me.
ASA(config)# same-security-traffic permit intra-interface
ASA(config)#object network obj-192.168.3.0
ASA(config-network-object)#nat (outside,outside) dynamic interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide