Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4276
Views
0
Helpful
17
Replies

ASA webvpn tunnelall hairpin not routing internet traffic

Bruce Reed
Level 1
Level 1

‎08-27-2012 06:04 PM

I have a working "tunnelall" group policy for anyconnect vpn working on my production ASA just fine. I'm working on new policy on a lab ASA connected to a different public net. That's working fine for the most part (implementing DAP is the goal,) but I've tried to set up another tunnelall hairpin on this ASA and no matter what I try I can't get it working. I can see the 0.0.0.0 route set in the anyconnect client, but the traffic goes nowhere. Here's the relevant code:

interface Ethernet0/0

nameif outside

security-level 0

ip address 173.xx.yy.61 255.255.255.240

same-security-traffic permit intra-interface

ip local pool TestVPN 192.168.102.240-192.168.102.254 mask 255.255.255.0

global (outside) 1 interface

nat (outside) 1 192.168.102.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 173.xx.yy.62 1

route outside 192.168.102.0 255.255.255.0 173.xx.yy.62 1

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 regex "Intel Mac OS X"

svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 regex "Linux"

svc image disk0:/anyconnect-linux-64-2.5.2014-k9.pkg 4 regex "Linux"

svc enable

group-policy TunnelAll internal

group-policy TunnelAll attributes

dns-server value 10.1.5.10

vpn-tunnel-protocol svc

split-tunnel-policy tunnelall

default-domain value xxx.yyy

address-pools value TestVPN

group-policy DfltGrpPolicy attributes

dns-server value 10.1.5.10

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_access_SPLIT

default-domain value xxx.yyy

address-pools value TestVPN

I've eliminated the inside related code as that is all working fine. I can reach hosts on my 10 network with no issue. Shouldn't the ASA simply nat and turn the inbound vpn packets around for internet destinations?

1 person had this problem
Labels:
0 Helpful
17 Replies 17

Karsten Iwen
VIP
VIP
In response to r5a5m5

‎08-28-2012 02:20 PM 

Sorry try "same-security-traffic permit inter-interface" in ASA..

That command is for the commuication between two interfaces with the same security-level. So it's not related to this problem.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Bruce Reed
Level 1
Level 1
In response to r5a5m5

‎08-28-2012 02:20 PM

Why would "inter-interface" be required in this case? I had tried it though just to rule that out and it didn't help.

0 Helpful

ta1983
Level 1
Level 1
In response to Bruce Reed

‎11-09-2012 12:14 AM

Bruce, did you solve your problem?

i would very much appreciate an explenation of how you did it.

BR

Tommy

0 Helpful
Customers Also Viewed These Support Documents