VPN Connection Preference

Quintin.Mayo · ‎09-27-2017

Hi,

I'm hoping someone can help with this task. We want our remote users when connecting via VPN to use the company Internet connection, instead of their own (home) connection. Can you someone advise on this procedure? It would be greatly appreciated.

Quintin

GioGonza · ‎09-27-2017

Hello @Quintin.Mayo,

Which device are you using for this task?

Gio

Quintin.Mayo · ‎09-27-2017

We are using an ASA 5520 device.

GioGonza · ‎09-27-2017

The trick here is to setup the group-policy to Tunnel All and configure the U-Turn for the traffic, that means a NAT, normally nat(outside,outside) for the traffic.

Also make sure you have the command same-security-traffic permit intra-interface, here is a link for your reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

HTH
Gio

Quintin.Mayo · ‎09-27-2017

Hi,
Can you provide an example of how the NAT statement would look, since the traffic will be unknown from the user when initializing the VPN connection from their home? Sorry, I'm new to the ASA world. Also, how would the group policy config look as well?
Thanks

GioGonza · ‎09-27-2017

Hi,

This will be the example for the configuration:

ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0

group-policy clientgroup internal
group-policy clientgroup attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall

tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable

object network obj-AnyconnectPool
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface << This is the NAT statement for Internet, you can
do it under the object for the AC Pool.

HTH
Gio