We have Remote VPN working and we can access our office network from a remote VPN client, and the other way around also.
We would now like to extend this config, so that when accessing a set of IPs on the internet (our website), any remote VPN clients must route their traffic over the VPN (so the website sees our office IP, not the remote client's internet IP)
VPN Pool: 192.168.4.0/24
External IP of website is within the group 'rackspace-public-ips'
We can successfully ping from 192.168.2.0 <> 192.168.4.0
We can successfully access public internet addresses. However when we enable a split tunnel, we cannot access the 'rackspace-public-ips'
address any more.
access-list vpn_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list vpn_splitTunnelAcl_1 standard permit x.x.x.x 255.255.255.252
access-list vpn_splitTunnelAcl_1 standard permit x.x.x.x 255.255.255.248
(where x.x.x.x are the individual IPs defined within the rackspace-public-ips group)
access-list officenetwork_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.4.0 255.255.255.0
From what I gather you have a /30 mask subnet and /29 mask subnet of public IP addresses? Are these located behind the ASA? I mean behind the "officenetwork" interface?
If these are actually public IP addresses on the "publicinternet" interface (or routed towards that interface since you have 2 subnets) used in Static NAT configurations for the servers then you are most likely running into problem with the NAT configurations.
This would be because you are doing NAT0 for the internal IP addresses while you are actually trying to reach the public IP address.
If both of these public subnets are used as NAT IP address on the edge of the firewall and not behind it in the internal network (directly on the servers) then I was thinking that trying "deny" statements on the NAT0 configuration might do the trick. (If it was supported, I do remember that it should be supported but I am not 100% sure)
access-list officenetwork_nat0_outbound line 1 remark Avoid NAT0 for Server to VPN Client
access-list officenetwork_nat0_outbound line 2 deny ip host 192.168.4.0 255.255.255.0
access-list officenetwork_nat0_outbound line 3 deny ip host 192.168.4.0 255.255.255.0
and so on.
So if anything of the above makes sense depends if the public IP addresses are located behind the ASA on the internal network or if they are actually the public NAT IP address of hosts on the network 192.168.2.0/24