Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1376
Views
10
Helpful
2
Replies

Cisco AnyConnect: Adding a public IP to split tunnel

Go to solution
mmedwid
Level 3
Level 3

‎07-13-2021 09:12 AM

My current ASA/AnyConnect setup has all RFC 1918 routing down the tunnel and the public 
IP space goes out via the local provider. I have a request that traffic to a particular site - let's

call it foo123.com at say 5.5.5.50 goes down the tunnel so as to get the source address
of the ASA. I added 5.5.5.50 to the Split Tunnel group. But then I could not get to foo123.com

at all. So there must be another piece I need to add to allow that now tunneled traffic 

to spin around and head back to the Internet from the ASA with its new source IP. Perhaps

a NAT? Not sure. What's the mojo? THANKS

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎07-13-2021 09:44 AM

Hi @mmedwid 

The traffic will need to hairpin, you need to enable traffic to return back out the same interface it came in on and a nat rule.

 

Try something like this:-

 

same-security-traffic permit intra-interface
!
 object network RAVPN_USERS
 subnet 10.4.4.0 255.255.255.0
nat (outside,outside) dynamic interface

 Obviously amend the object name, subnet and interface name accordingly.

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎07-13-2021 09:44 AM

Hi @mmedwid 

The traffic will need to hairpin, you need to enable traffic to return back out the same interface it came in on and a nat rule.

 

Try something like this:-

 

same-security-traffic permit intra-interface
!
 object network RAVPN_USERS
 subnet 10.4.4.0 255.255.255.0
nat (outside,outside) dynamic interface

 Obviously amend the object name, subnet and interface name accordingly.

Go to solution
mmedwid
Level 3
Level 3
In response to Rob Ingram

‎07-13-2021 11:47 AM

Worked like a champ. Thank you.

0 Helpful
Top