cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9750
Views
15
Helpful
10
Replies

How to enforce user internet traffic to VPN tunnel

clin
Level 1
Level 1

hi

maybe this is simple question to most of you , but it is confusing me right now.

here is my situation:

home users ------ internet ------ ASA 5510----- CORP LAN

we have anyconnect VPN and remote Ipsec VPN, i think the solution should works on both of them.

my question is : "How to enforce home user internet traffic to VPN tunnel ?"

we have "split tunnel" to pass only ""interesting traffic" to VPN tunnel access CORP LAN.

but now , i need enforce all user traffic (internet +CORP LAN) pass through VPN tunnel.

so far , i did what i know :

1. remove "split tunnle" from group-policy

2. the address in "remote VPN user address pool" are could be NAT/PAT through ASA5510

but i don't get that why it doesn't work.

any suggestions are appreciate !

thanks !

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

A few things to be configured:

1) Split tunnel policy to be changed from split tunnel to tunnelall

2) Configure NAT on the outside interface to PAT to the same global address.

3) Configure "same-security-traffic permit intra-interface" so traffic from the VPN tunnel destined for the Internet can make a u-turn.

Please share the current configuration if the above still does not resolve the issue. Thanks.

View solution in original post

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

A few things to be configured:

1) Split tunnel policy to be changed from split tunnel to tunnelall

2) Configure NAT on the outside interface to PAT to the same global address.

3) Configure "same-security-traffic permit intra-interface" so traffic from the VPN tunnel destined for the Internet can make a u-turn.

Please share the current configuration if the above still does not resolve the issue. Thanks.

hi Jennifer

thanks for your prompt response as always.

let me understand your proposal:

1) Split tunnel policy to be changed from split tunnel to tunnelall

so i don't need move split tunnel but change it to tunnel all , something like :

group-policy APAC-IS-AnyconnectPolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value APAC_AnyConnect-Split

access-list APAC_AnyConnect-Split standard permit 0.0.0.0 0.0.0.0

2) Configure NAT on the outside interface to PAT to the same global address.

global (outside) 2 220.191.x.x netmask 255.255.255.248

nat (inside) 2 10.197.0.0 255.255.0.0

remote VPN user address pool is 10.197.126.0 255.255.255.0

3) Configure "same-security-traffic permit intra-interface" so traffic  from the VPN tunnel destined for the Internet can make a u-turn.

it was done for connecting peer L2L VPN through remote VPN.

i'm not sure if i understand  your option 2 correct ? thanks

1) For split tunnel policy, here is what you need to change it to:

group-policy APAC-IS-AnyconnectPolicy attributes

     split-tunnel-policy tunnelall

      no split-tunnel-network-list value APAC_AnyConnect-Split

2) NAT statement needs to be configured on the outside interface because VPN traffic is coming from the outside, not inside. Here is the NAT command:

nat (outside) 2 10.197.126.0 255.255.255.0

Here, I assume that you already have the global statement configure:

global (outside) 2 220.191.x.x netmask 255.255.255.248

hi Jennifer

seems it doesn't work as expect.

below is my configuration , please correct me , thanks !

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.197.2.1 255.255.255.0

interface Ethernet0/3

nameif CUoutside

security-level 0

ip address 123.157.x.x 255.255.255.248

same-security-traffic permit intra-interface

object-group network trusted_inside

network-object 10.197.0.0 255.255.128.0

network-object 10.197.255.0 255.255.255.0

object-group network APAC_IS_VPN_Networks

network-object 10.197.126.128 255.255.255.224

access-list VPN_ACL_NONAT extended permit ip object-group trusted_inside object-group APAC_IS_VPN_Networks

global (CUoutside) 2 123.157.x.x netmask 255.255.255.248

nat (inside) 0 access-list VPN_ACL_NONAT

nat (inside) 2 10.197.0.0 255.255.0.0

nat (CUoutside) 2 10.197.126.0 255.255.255.0

route CUoutside 0.0.0.0 0.0.0.0 123.157.x.y

route inside 10.197.0.0 255.255.0.0 10.197.2.11 1

webvpn

enable outside

enable CUoutside

anyconnect-essentials

svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.1025-k9.pkg 2

svc image disk0:/anyconnect-linux-2.5.1025-k9.pkg 3

svc profiles MSTRRemAccess2011 disk0:/MSTRRemAccess2011.xml

svc enable

tunnel-group-list enable

group-policy APAC-IS-AnyconnectPolicy internal

group-policy APAC-IS-AnyconnectPolicy attributes

wins-server value 10.15.70.48 10.15.70.61

dns-server value 10.197.80.104 10.15.70.11

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

default-domain value xxx.com

split-dns value corp.xxx.com xxx.com labs.xxx.com

webvpn

  svc dtls enable

  svc keep-installer installed

  svc keepalive 60

  svc dpd-interval client 120

  svc dpd-interval gateway 120

  svc modules value vpngina

  svc profiles value MSTRRemAccess2011

  svc ask enable

tunnel-group APAC_IS_AnyConnect type remote-access

tunnel-group APAC_IS_AnyConnect general-attributes

authentication-server-group CTC-LOCAL-ACS

default-group-policy APAC-IS-AnyconnectPolicy

tunnel-group APAC_IS_AnyConnect webvpn-attributes

group-alias APAC_IS_Group enable

Hi,

Looks like you are missing the tunnelall policy.

group-policy APAC-IS-AnyconnectPolicy attributes

split-tunnel-policy tunnelall

Regards.

yes , you are right , i missed it.

awsome ! thanks Gustavo and appreciate Jennifer!

Will this work with Cisco VPN client as well? or just Any connect?

this would work for both cisco vpn client and anyconnect client.

Thank you for the reply.

Found the following link that sent me in the correct direction.

https://supportforums.cisco.com/docs/DOC-11640

Hi Jennifer,

I am trying that in my 5505 with a l2tp/ipsec type of vpn and system version is 8.4(1). I manage to get a response from the dns servers but nothing else. Here is the config:

object network vpn_client

 nat (outside,outside) dynamic interface

group-policy my-policy attributes

 

 split-tunnel-policy tunnelall

I also tried this nat rule for the uturn and just manage the same result:

nat (outside,outside) source dynamic vpn_client interface

I will really appreciate any help. Thanks in advance