cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
830
Views
0
Helpful
1
Replies

Help ASA Tunneled Traffic with Switch

f.mottini
Level 1
Level 1

Dear comunity,i have need an help for configuration, i try to explain:

I have some client with Anyconnect 3.0 configured .

I want that all traffic (vs. LAN and vs. Internet) is tunnled in the SSL VPN. On the ASA i configured a route that all traffico tunnled goes to Switch 3750.

route inside 0.0.0.0 0.0.0.0 192.168.80.229 tunneled

The switch ahve this configurtion for the routing

ip default-gateway 192.168.80.228

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.80.228

But if i have a pc that have defaul gw the switch ip 192.168.80.229 all works fine, but the client vpn have a problem that can't go to internet.

I attach a schema and a configration.

If i try to navigate only throught the ASA with the client VPN all works. But if i try to tunnle the von traffic to the switch and come back to the and then to internet all stop to works.

i hope that i well the explain the problem.

Can some one help me?

thanks a lot best regards

1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

Hi f,

I don't understand the colored lines in your schema.jpg, so maybe I am missing the point here, but why do you want the VPN traffic to go through the switch? I think it would make more sense to make the U-turn on the ASA itself.

I.e. remove the tunneled default route, add "same-security-traffic permit intra-interface"  (this will allow traffic to go out the same interface as it entered on, ie vpn traffic will enter on the outside, and go back out the outside to the internet), and add a nat rule for the vpn-to-internet traffic, something like

object network vpn-pool-ip

    nat (outside,outside) dynamic interface

if you really need to pass the traffic through the switch, I think the only way to achieve that is to NAT it before sending it to the switch, or NAT it on the switch.

hth

Herbert