@Keith - Thanks for the response.

@Jcarvaja - Yes, referring to any kind of RA VPN - as this is for remote-access VPN (utilizing a client).  Ah i see what your saying, I knew this was possible - I just wasn't sure as to how.  Would this then mean that I would need to add routing (assuming yes, but just want to clarify) to allow the VPN subnet to communicate with the internal LAN?

EX:  Assign the VPN Scope 10.1.1.0/24.  In order to get the 10.1.1.0 subnet to speak to the LAN (192.168.1.0), I now need to introduce routing in the configuration, correct?  Or is there something that can do that within the client automatically...

Thanks for the explanation from the both of you.

Hello Kenneth,

If this is Anyconnect Reverse route injection gets done automatically but I would say that as usual you have a default route poitining to your ISP, right? So that would cover the VPN pool so no problem at all

Regards,

Remember to rate all of the helpful posts ( If you do not know how to rate a post just let me know)

I'm not sure if I am explaining it correctly, for example:

MOST IMPORTANT:  This is all because of 1 Application, the App sits on the home-users laptop and when launched talks back the application server at the Corporate Office.

Moving forward.....

Home user has a home modem/router that is handing out 192.168.1.0/24.  The Corporate office's LAN is 192.168.1.0/24.  When the home-user launches the AnyConnect client and connects, they currently get handed a 192.168.1.0/24 address from the DHCP Pool.  Now when the app launches and wants to talk to the server (lets say 192.168.1.119/24), its going to get routed locally and NOT over the tunnel as the local home subnet is 192.168.1.0/24.

This is where my issue lies.

I'm starting to think Smart Tunnel, Tunnel-All, or NATTing might be my solution.

Hi,

Would seem that there would be less problem in the home user changing his/her home LAN. I'd imagine that most people have nothing special set up on their LAN to make any difference what their local network is.

I dont know what application we are using but I presume that the destination IP address cant be changed because its used also at the corporate network and changing the IP address would again cause problems when moving from home to work? Then again this could probably be worked around with NAT again but would just complicate the setup.

Is there an option to change the IP address or configure a secondary IP address of some sort?

In those cases you could consider NATing the company LAN 192.168.1.0/24 to an equal /24 NAT network which would be accessed through the VPN Client. Unless there is something regarding the application that is preventing the use of such a NAT?

If I understood you correctly then your problem is that

• Corporate LAN = Some remote users local LAN,  because of the use of a pretty common default LAN network private range
• Therefore traffic is not forwarded correctly

As I mentioned before you could consider a NAT if the application and setup permits it

Might be something like this

object network LAN

subnet 192.168.1.0 255.255.255.0

object network LAN-MAPPED-VPN

subnet 10.10.1.0 255.255.255.0

object network VPN-POOL

subnet  192.168.255.0 255.255.255.0

nat (inside,outside) source static LAN LAN-MAPPED-VPN destination static VPN-POOL VPN-POOL

And if you are using Split Tunnel then your ACL would naturally change from

access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0

to

access-list SPLIT-TUNNEL standard permit 10.10.1.0 255.255.255.0

Though I kinda suspect that it will not be possible to have the remote user connect to a different IP address other than the 192.168.1.x/24 format one because of the application used?

- Jouni