Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9247
Views
0
Helpful
10
Replies

Cisco AnyConnect Clients force all traffic through VPN

mattesong
Level 1
Level 1

‎02-26-2014 07:23 AM - edited ‎02-21-2020 07:31 PM

Hello, I am trying to figure out how to force all traffic from remote vpn users to go through the vpn tunnel for internet access and have run into a road block. Right now, I have split tunneling working for one profile and the other profile is to force all traffic through the VPN. I have the same-security features enabled and I think I am stuck on the NAT side of it. What source of NAT settings do I need to allow this hairpining? My ACL is to allow any source to any outbound FYI.

- Gabe

Labels:
0 Helpful
10 Replies 10

jj27
Spotlight
Spotlight

‎02-26-2014 09:34 PM

What version of code?

Using an example of 10.2.3.0 as your VPN subnet.

8.2 and below

nat (outside) 1 10.2.3.0 255.255.255.0

global (outside) 1 interface  (or PAT IP)

8.3+

object network VPN-Pool

subnet 10.2.3.0 255.255.255.0

nat (outside,outside) dynamic interface

0 Helpful

mattesong
Level 1
Level 1
In response to jj27

‎02-27-2014 10:15 AM

Hi Johnston, thanks for the help! It is for version 9.x and I have configured the NAT. I am going to give that a shot and try it. Thanks,

0 Helpful

mattesong
Level 1
Level 1
In response to mattesong

‎02-27-2014 10:18 AM

I just made the change and no luck. Any thoughts as to where I might look to test? I ran the packet tracer and set it it up with the following:

interface - outside

source ip - vpn pool ip address

dest ip - google.com

reverse path failure is the result...

0 Helpful

jj27
Spotlight
Spotlight
In response to mattesong

‎02-27-2014 10:32 AM

Please post the output of the command:

Show run nat

0 Helpful

ledzepp817
Level 1
Level 1
In response to jj27

‎02-27-2014 12:42 PM

Could it be DNS? 

What troubleshooting have you done? 

0 Helpful

mattesong
Level 1
Level 1
In response to ledzepp817

‎02-27-2014 12:48 PM

I am able to resolve DNS entries from the internal DNS servers. Thanks-

0 Helpful

mattesong
Level 1
Level 1
In response to jj27

‎02-27-2014 12:46 PM

Here is the output.

object network SHR_VPN_CLIENTS

nat (outside,outside) dynamic interface

0 Helpful

ledzepp817
Level 1
Level 1
In response to mattesong

‎02-27-2014 12:51 PM

Have you changed the source interface to inside and tested?

0 Helpful

mattesong
Level 1
Level 1
In response to ledzepp817

‎02-27-2014 12:56 PM

I just tried that and cleared the xlates no luck.  I'll see if i can paste the packet trace output.

0 Helpful

mattesong
Level 1
Level 1
In response to mattesong

‎02-27-2014 01:01 PM

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed

Shouldn't these commands fix this?

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

I don't want to disable RPF on the outside interface if I don't have too.

- Gabe

0 Helpful
Customers Also Viewed These Support Documents