- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2021 02:18 AM - edited 01-23-2021 02:55 AM
Hi, I have a problem with my AnyConnect Split-tunnel configuration. When connected I am able to ping or reach internal subnets which have been specified in the split-tunnel ACL but I can't ping nor reach any public sites that I want to be reached through the VPN.
When checking my routing table, I can see that the route to that site that I added to the split-tunnel ACL is there but when trying to reach it or ping it nothing works.
I am able to do so if I remove that site from the ACL, but that means that traffic is going out from my normal home connection.
The issue is not just a DNS problem as I can't even ping the domain. Any help will be much appreciated! Thanks =]
Also if someone can explain to me why the hitcount on the split-tunnel ACLs remain 0 would be great.
Solved! Go to Solution.
- Labels:
-
AnyConnect
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2021 03:42 AM
If you are tunneling the traffic through the VPN and out to the internet, you'll need a NAT rule, for the anyconnect network e.g.
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2021 02:28 AM
Are you not able to reach the external site? is this DNS resolution ok?
can you post-show run to look at the config?
or look below example guide to give you the right direction :
https://www.petenetlive.com/KB/Article/0001239
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2021 02:47 AM
Hi, thanks for the quick reply. I did attach the config with the original post.
As for your question, when connected with the VPN, DNS resolution seems to work but can't access the site nor ping it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2021 03:38 AM
Any idea why this is happening? thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2021 03:42 AM
If you are tunneling the traffic through the VPN and out to the internet, you'll need a NAT rule, for the anyconnect network e.g.
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2021 03:44 AM
Thanks Rob I'll try that out and let you know.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2021 07:23 AM
Hey Rob, that was spot on mate thank you very much! Issue fixed =]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2021 05:52 AM - edited 01-23-2021 07:25 AM
...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2021 07:25 AM
Hey thanks for the feedback!
nat (outside,outside) source dynamic OBJ-ANYCONNECT-SUBNET SNAT-IP-XXX destination static XXX-REMOTE XXX-REMOTE
This rule I use it so that my anyconnect users can reach a subnet which sits behind an IPSec site-to-site tunnel. That remote location required that they always see the same IP coming towards them so the above is a SNAT rule with that object being the IP that they want to see coming towards them.
Hope thats clear =]
