Solved: Re: Cisco AnyConnect: Adding a public IP to split tunnel

mmedwid · ‎07-13-2021

My current ASA/AnyConnect setup has all RFC 1918 routing down the tunnel and the public
IP space goes out via the local provider. I have a request that traffic to a particular site - let's

call it foo123.com at say 5.5.5.50 goes down the tunnel so as to get the source address
of the ASA. I added 5.5.5.50 to the Split Tunnel group. But then I could not get to foo123.com

at all. So there must be another piece I need to add to allow that now tunneled traffic

to spin around and head back to the Internet from the ASA with its new source IP. Perhaps

a NAT? Not sure. What's the mojo? THANKS

Rob Ingram · ‎07-13-2021

Hi @mmedwid

The traffic will need to hairpin, you need to enable traffic to return back out the same interface it came in on and a nat rule.

Try something like this:-

same-security-traffic permit intra-interface
!
 object network RAVPN_USERS
 subnet 10.4.4.0 255.255.255.0
nat (outside,outside) dynamic interface

Obviously amend the object name, subnet and interface name accordingly.

View solution in original post

Rob Ingram · ‎07-13-2021

Hi @mmedwid

The traffic will need to hairpin, you need to enable traffic to return back out the same interface it came in on and a nat rule.

Try something like this:-

same-security-traffic permit intra-interface
!
 object network RAVPN_USERS
 subnet 10.4.4.0 255.255.255.0
nat (outside,outside) dynamic interface

Obviously amend the object name, subnet and interface name accordingly.

mmedwid · ‎07-13-2021

Worked like a champ. Thank you.