08-01-2012 09:29 AM
I currently have a remote "VPN on a stick" configuration setup on an ASA's "outside" interface that provides access to 2 networks on the same side. Hosts are setup in a split tunnel configuration so that only the 134.23/16 and 166.43/16 network traffic is sent to the VPN.
Example: (IPs changed)
(PRIVATE) -- ASA --router------------------- (Internet) ---- Host (any ip) (anyconnect)
|
|------ 134.23.0.0/16
|
|------ 166.43.0.0/16 -------
|
router
|
---------166.43.1.0/24-----
|
|
------ Host (166.43.1.3) (anyconnect)
Tunnel access-list:
access-list tunnel standard permit 166.43.0.0 255.255.0.0
access-list tunnel standard permit 134.23.0.0 255.255.0.0
Even though users can connect from the Internet, the configuration does not provide access to the Internet from the VPN (only access to the two other networks). The problem is that if a host connects from one of the two networks allowed by the VPN but from a "more specific" subnet in that network the client will follow normal routing rules and not pass traffic through the VPN because the prefix length is longer on the 166.43.1/24 subnet. I am able to add the following configuration to the tunnel to force traffic trough the VPN, but this would have to be done for all subnets with a larger prefix than the first two.
access-list tunnel standard permit 166.43.1.0 255.255.255.0
Is there a way to have the VPN anyconnect client force traffic destined for a network regardless on a more specific route that may exist on the client's machine? (This is done so that the traffic is encypted, even if the client can connect to the desired machine without the VPN)
Thanks!
08-03-2012 01:53 AM
Do you need to configure split tunnel, or you can route everything via VPN even for Internet traffic.
If you disable split tunnel, then all traffic will be routed via the VPN tunnel when they are connected.
08-05-2012 08:57 AM
Split tunnel is setup, and for performance reasons we only tunnel traffic for the two /16 networks.
08-06-2012 12:09 AM
what is the vpn client pool that you assigned to the anyconnect?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide