Solved: How to enforce user internet traffic to VPN tunnel

clin · ‎06-05-2011

hi

maybe this is simple question to most of you , but it is confusing me right now.

here is my situation:

home users ------ internet ------ ASA 5510----- CORP LAN

we have anyconnect VPN and remote Ipsec VPN, i think the solution should works on both of them.

my question is : "How to enforce home user internet traffic to VPN tunnel ?"

we have "split tunnel" to pass only ""interesting traffic" to VPN tunnel access CORP LAN.

but now , i need enforce all user traffic (internet +CORP LAN) pass through VPN tunnel.

so far , i did what i know :

1. remove "split tunnle" from group-policy

2. the address in "remote VPN user address pool" are could be NAT/PAT through ASA5510

but i don't get that why it doesn't work.

any suggestions are appreciate !

thanks !

Jennifer Halim · ‎06-05-2011

A few things to be configured:

1) Split tunnel policy to be changed from split tunnel to tunnelall

2) Configure NAT on the outside interface to PAT to the same global address.

3) Configure "same-security-traffic permit intra-interface" so traffic from the VPN tunnel destined for the Internet can make a u-turn.

Please share the current configuration if the above still does not resolve the issue. Thanks.

View solution in original post

Jennifer Halim · ‎06-05-2011

A few things to be configured:

1) Split tunnel policy to be changed from split tunnel to tunnelall

2) Configure NAT on the outside interface to PAT to the same global address.

3) Configure "same-security-traffic permit intra-interface" so traffic from the VPN tunnel destined for the Internet can make a u-turn.

Please share the current configuration if the above still does not resolve the issue. Thanks.

clin · ‎06-05-2011

hi Jennifer

thanks for your prompt response as always.

let me understand your proposal:

1) Split tunnel policy to be changed from split tunnel to tunnelall

so i don't need move split tunnel but change it to tunnel all , something like :

group-policy APAC-IS-AnyconnectPolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value APAC_AnyConnect-Split

access-list APAC_AnyConnect-Split standard permit 0.0.0.0 0.0.0.0

2) Configure NAT on the outside interface to PAT to the same global address.

global (outside) 2 220.191.x.x netmask 255.255.255.248

nat (inside) 2 10.197.0.0 255.255.0.0

remote VPN user address pool is 10.197.126.0 255.255.255.0

3) Configure "same-security-traffic permit intra-interface" so traffic from the VPN tunnel destined for the Internet can make a u-turn.

it was done for connecting peer L2L VPN through remote VPN.

i'm not sure if i understand your option 2 correct ? thanks

Jennifer Halim · ‎06-05-2011

1) For split tunnel policy, here is what you need to change it to:

group-policy APAC-IS-AnyconnectPolicy attributes

split-tunnel-policy tunnelall

no split-tunnel-network-list value APAC_AnyConnect-Split

2) NAT statement needs to be configured on the outside interface because VPN traffic is coming from the outside, not inside. Here is the NAT command:

nat (outside) 2 10.197.126.0 255.255.255.0

Here, I assume that you already have the global statement configure:

global (outside) 2 220.191.x.x netmask 255.255.255.248

clin · ‎06-05-2011

hi Jennifer

seems it doesn't work as expect.

below is my configuration , please correct me , thanks !

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.197.2.1 255.255.255.0

interface Ethernet0/3

nameif CUoutside

security-level 0

ip address 123.157.x.x 255.255.255.248

same-security-traffic permit intra-interface

object-group network trusted_inside

network-object 10.197.0.0 255.255.128.0

network-object 10.197.255.0 255.255.255.0

object-group network APAC_IS_VPN_Networks

network-object 10.197.126.128 255.255.255.224

access-list VPN_ACL_NONAT extended permit ip object-group trusted_inside object-group APAC_IS_VPN_Networks

global (CUoutside) 2 123.157.x.x netmask 255.255.255.248

nat (inside) 0 access-list VPN_ACL_NONAT

nat (inside) 2 10.197.0.0 255.255.0.0

nat (CUoutside) 2 10.197.126.0 255.255.255.0

route CUoutside 0.0.0.0 0.0.0.0 123.157.x.y

route inside 10.197.0.0 255.255.0.0 10.197.2.11 1

webvpn

enable outside

enable CUoutside

anyconnect-essentials

svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.1025-k9.pkg 2

svc image disk0:/anyconnect-linux-2.5.1025-k9.pkg 3

svc profiles MSTRRemAccess2011 disk0:/MSTRRemAccess2011.xml

svc enable

tunnel-group-list enable

group-policy APAC-IS-AnyconnectPolicy internal

group-policy APAC-IS-AnyconnectPolicy attributes

wins-server value 10.15.70.48 10.15.70.61

dns-server value 10.197.80.104 10.15.70.11

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

default-domain value xxx.com

split-dns value corp.xxx.com xxx.com labs.xxx.com

webvpn

svc dtls enable

svc keep-installer installed

svc keepalive 60

svc dpd-interval client 120

svc dpd-interval gateway 120

svc modules value vpngina

svc profiles value MSTRRemAccess2011

svc ask enable

tunnel-group APAC_IS_AnyConnect type remote-access

tunnel-group APAC_IS_AnyConnect general-attributes

authentication-server-group CTC-LOCAL-ACS

default-group-policy APAC-IS-AnyconnectPolicy

tunnel-group APAC_IS_AnyConnect webvpn-attributes

group-alias APAC_IS_Group enable

Gustavo Medina · ‎06-05-2011

Hi,

Looks like you are missing the tunnelall policy.

group-policy APAC-IS-AnyconnectPolicy attributes

split-tunnel-policy tunnelall

Regards.

clin · ‎06-05-2011

yes , you are right , i missed it.

awsome ! thanks Gustavo and appreciate Jennifer!

CT_Dude · ‎05-30-2012

Will this work with Cisco VPN client as well? or just Any connect?

Jennifer Halim · ‎05-30-2012

this would work for both cisco vpn client and anyconnect client.

CT_Dude · ‎05-30-2012

Thank you for the reply.

Found the following link that sent me in the correct direction.

https://supportforums.cisco.com/docs/DOC-11640

guillermodiazcisco · ‎05-14-2015

Hi Jennifer,

I am trying that in my 5505 with a l2tp/ipsec type of vpn and system version is 8.4(1). I manage to get a response from the dns servers but nothing else. Here is the config:

object network vpn_client

nat (outside,outside) dynamic interface

group-policy my-policy attributes

split-tunnel-policy tunnelall

I also tried this nat rule for the uturn and just manage the same result:

nat (outside,outside) source dynamic vpn_client interface

I will really appreciate any help. Thanks in advance