cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1098
Views
0
Helpful
8
Replies

Cisco ASA 5508-X - Issue with Split-tunnel

steve32881
Level 1
Level 1

Hi, I have a problem with my AnyConnect Split-tunnel configuration.  When connected I am able to ping or reach internal subnets which have been specified in the split-tunnel ACL but I can't ping nor reach any public sites that I want to be reached through the VPN.

 

When checking my routing table, I can see that the route to that site that I added to the split-tunnel ACL is there but when trying to reach it or ping it nothing works.

I am able to do so if I remove that site from the ACL, but that means that traffic is going out from my normal home connection.

 

The issue is not just a DNS problem as I can't even ping the domain.  Any help will be much appreciated!  Thanks =]

Also if someone can explain to me why the hitcount on the split-tunnel ACLs remain 0 would be great. 

1 Accepted Solution

Accepted Solutions

@steve32881 

If you are tunneling the traffic through the VPN and out to the internet, you'll need a NAT rule, for the anyconnect network e.g.

 

object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface

HTH

View solution in original post

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

Are you not able to reach the external site? is this DNS resolution ok?

 

can you post-show run to look at the config?

 

or look below example guide to give you the right direction :

 

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

 

https://www.petenetlive.com/KB/Article/0001239

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi, thanks for the quick reply.  I did attach the config with the original post.

As for your question, when connected with the VPN, DNS resolution seems to work but can't access the site nor ping it.

Any idea why this is happening?  thanks

@steve32881 

If you are tunneling the traffic through the VPN and out to the internet, you'll need a NAT rule, for the anyconnect network e.g.

 

object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface

HTH

Thanks Rob I'll try that out and let you know.

Hey Rob,  that was spot on mate thank you very much!  Issue fixed =]

...

Hey thanks for the feedback!

 

nat (outside,outside) source dynamic OBJ-ANYCONNECT-SUBNET SNAT-IP-XXX destination static XXX-REMOTE XXX-REMOTE

 

This rule I use it so that my anyconnect users can reach a subnet which sits behind an IPSec site-to-site tunnel.  That remote location required that they always see the same IP coming towards them so the above is a SNAT rule with that object being the IP that they want to see coming towards them.

 

Hope thats clear =]