Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
1
Replies

Force Certain Public IPs via Split Tunnel

TechDude
Level 1
Level 1

‎05-27-2013 07:30 AM

Im on the latest ASA Release and I am trying to resolve the following scenario:

AnyConnect only services traffic that goes internal, so anything not included on my split tunnel does not get routed, this works awesome

Need to make it look like VPN Clients are coming from our firewall to someones public ip, what route statement covers this?  I get the traffic to come through but it timesout and doesnt go anywhere unless i need to re route via the firewall

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎05-27-2013 07:41 AM

Hi,

If you are talking about tunneling traffic from VPN Client users to the public IP address of some servers that use Static NAT on the ASA firewall then I would imagine you have to do the following things.

  • You will have to include the public IP addresses on the Split Tunnel ACL
  • You will have to modify your NAT0 configurations so that the servers for which traffic is NOT NATed towards the VPN Client users are excluded from the NAT0 configurations so that the Static NAT will take place when connecting through the VPN client.

I would imagine the "harder" one to implement of these 2 mentioned things is modifying the NAT0 configuration for the LAN that is accessed through the VPN Client. If the accessed servers have both NAT0 and Static NAT configurations then the NAT0 will always win when the connecting host is connecting from VPN Client.

Configurations needed (NAT) naturally depends on your software level used.

Hope this helps

- Jouni

0 Helpful
Customers Also Viewed These Support Documents