09-26-2014 08:59 AM - edited 02-21-2020 07:51 PM
I couldn't find an answer looking through the ASA config in Cisco documentation and using Google. To enable full tunnel for the AnyConnect client group policy, do I just need to change the Split-Tunneling policy to Tunnel All Networks and set the Network List to None if I want anyone who connects with the AnyConnect Secure Mobility client to use the corp internet pipe?
Solved! Go to Solution.
09-26-2014 10:46 AM
That plus you will also need a NAT rule to NAT the VPN pool addresses to the ASA outside interface (or whatever address / pool you normally use for dynamic NAT).
There are some good examples with illustrations in this document.
09-26-2014 01:52 PM
I don't know that one method vs. the other would be easier. End users tend to like accessing things the same way if that's at all practical.
You might try using a non-aliased profile for your own testing to verify it works as desired and then put those bits into the production profile when you're satisfied. (A profile without an alias won't show up in the drop down list but can be setup to be accessed via a direct URL.)
09-26-2014 10:46 AM
That plus you will also need a NAT rule to NAT the VPN pool addresses to the ASA outside interface (or whatever address / pool you normally use for dynamic NAT).
There are some good examples with illustrations in this document.
09-26-2014 11:18 AM
Marvin,
Thanks for the reply. Ok, so setup the NAT for the VPN pool and then make the changes to the Group Policy in ASDM to tunnelall and set the network list to None. I've already added the same-security-traffic permit intra-interface. That should be it to turn our current policy from split-tunnel to tunnelall?
09-26-2014 11:33 AM
You're welcome.
Yes, those would be the general steps one would take. I can't say for sure if there are any other considerations without knowing your complete configuration but that should set you on the right path.
09-26-2014 11:56 AM
One of the caveats is our AnyConnect clients are set to get IP's issued by our internal DHCP server, not from a pool setup on the ASA. Outside of that, we use AAA with LDAP.
Instead of switching our current one, would it be easier to create a new group that needs the tunnelall?
09-26-2014 01:52 PM
I don't know that one method vs. the other would be easier. End users tend to like accessing things the same way if that's at all practical.
You might try using a non-aliased profile for your own testing to verify it works as desired and then put those bits into the production profile when you're satisfied. (A profile without an alias won't show up in the drop down list but can be setup to be accessed via a direct URL.)
09-26-2014 01:55 PM
Thanks Marvin. Really appreciate the input. I'll look into both.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide