Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7991
Views
5
Helpful
6
Replies

How to change AnyConnect remote VPN to full tunnel from split tunnel?

Go to solution
Evin Hill
Level 1
Level 1

‎09-26-2014 08:59 AM - edited ‎02-21-2020 07:51 PM

I couldn't find an answer looking through the ASA config in Cisco documentation and using Google.  To enable full tunnel for the AnyConnect client group policy, do I just need to change the Split-Tunneling policy to Tunnel All Networks and set the Network List to None if I want anyone who connects with the AnyConnect Secure Mobility client to use the corp internet pipe?  

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-26-2014 10:46 AM

That plus you will also need a NAT rule to NAT the VPN pool addresses to the ASA outside interface (or whatever address / pool you normally use for dynamic NAT).

There are some good examples with illustrations in this document.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Evin Hill

‎09-26-2014 01:52 PM

I don't know that one method vs. the other would be easier. End users tend to like accessing things the same way if that's at all practical.

You might try using a non-aliased profile for your own testing to verify it works as desired and then put those bits into the production profile when you're satisfied. (A profile without an alias won't show up in the drop down list but can be setup to be accessed via a direct URL.) 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-26-2014 10:46 AM

That plus you will also need a NAT rule to NAT the VPN pool addresses to the ASA outside interface (or whatever address / pool you normally use for dynamic NAT).

There are some good examples with illustrations in this document.

Go to solution
Evin Hill
Level 1
Level 1
In response to Marvin Rhoads

‎09-26-2014 11:18 AM

Marvin,

Thanks for the reply.  Ok, so setup the NAT for the VPN pool and then make the changes to the Group Policy in ASDM to tunnelall and set the network list to None.  I've already added the same-security-traffic permit intra-interface.  That should be it to turn our current policy from split-tunnel to tunnelall? 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Evin Hill

‎09-26-2014 11:33 AM

You're welcome.

Yes, those would be the general steps one would take. I can't say for sure if there are any other considerations without knowing your complete configuration but that should set you on the right path.

0 Helpful

Go to solution
Evin Hill
Level 1
Level 1
In response to Marvin Rhoads

‎09-26-2014 11:56 AM

One of the caveats is our AnyConnect clients are set to get IP's issued by our internal DHCP server, not from a pool setup on the ASA.  Outside of that, we use AAA with LDAP.  

Instead of switching our current one, would it be easier to create a new group that needs the tunnelall?  

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Evin Hill

‎09-26-2014 01:52 PM

I don't know that one method vs. the other would be easier. End users tend to like accessing things the same way if that's at all practical.

You might try using a non-aliased profile for your own testing to verify it works as desired and then put those bits into the production profile when you're satisfied. (A profile without an alias won't show up in the drop down list but can be setup to be accessed via a direct URL.) 

0 Helpful

Go to solution
Evin Hill
Level 1
Level 1
In response to Marvin Rhoads

‎09-26-2014 01:55 PM

Thanks Marvin.  Really appreciate the input.  I'll look into both.  

0 Helpful
Customers Also Viewed These Support Documents