cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9244
Views
0
Helpful
10
Replies

Cisco AnyConnect Clients force all traffic through VPN

mattesong
Level 1
Level 1

Hello, I am trying to figure out how to force all traffic from remote vpn users to go through the vpn tunnel for internet access and have run into a road block. Right now, I have split tunneling working for one profile and the other profile is to force all traffic through the VPN. I have the same-security features enabled and I think I am stuck on the NAT side of it. What source of NAT settings do I need to allow this hairpining? My ACL is to allow any source to any outbound FYI.

- Gabe

10 Replies 10

jj27
Spotlight
Spotlight

What version of code?

Using an example of 10.2.3.0 as your VPN subnet.

8.2 and below

nat (outside) 1 10.2.3.0 255.255.255.0

global (outside) 1 interface  (or PAT IP)

8.3+

object network VPN-Pool

subnet 10.2.3.0 255.255.255.0

nat (outside,outside) dynamic interface

Hi Johnston, thanks for the help! It is for version 9.x and I have configured the NAT. I am going to give that a shot and try it. Thanks,

I just made the change and no luck. Any thoughts as to where I might look to test? I ran the packet tracer and set it it up with the following:

interface - outside

source ip - vpn pool ip address

dest ip - google.com

reverse path failure is the result...

Please post the output of the command:

Show run nat

Could it be DNS? 

What troubleshooting have you done? 

I am able to resolve DNS entries from the internal DNS servers. Thanks-

Here is the output.

object network SHR_VPN_CLIENTS

nat (outside,outside) dynamic interface

Have you changed the source interface to inside and tested?

I just tried that and cleared the xlates no luck.  I'll see if i can paste the packet trace output.

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed

Shouldn't these commands fix this?

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

I don't want to disable RPF on the outside interface if I don't have too.

- Gabe