KB ID 0000977 Dtd 02/08/14
I have answered a lot of questions in forums, that are worded something like, "When I have a remote client connected to my firewall VPN they lose Internet access!" Traditionally that's exactly what the 'default' remote VPN solution (IPSEC or AnyConnect) gave you.
To ensure your remote VPN clients can access the Internet you have two options. The first (and most common) way is to enable 'Split Tunneling' this lets the user access the Internet form their LOCAL Internet connection.
Or you can provide Internet connection via the ASA's public Internet connection, this is known as a 'Tunnel All' solution.
At this point I'm assuming you have a remote VPN setup and working, if not you need to do that first, here are some walk-throughs I've already done to help you set that up.Cisco ASA 5500 AnyConnect Setup From Command Line Note: Split tunneling is covered in this article. Cisco ASA 5500 IPSEC VPN Setup Note: Split tunneling is covered in this article.
Option 1 (Split Tunneling)
Rather than re-invent the wheel, I've already covered this before in the following article.
Option 2 (Tunnel All Split Tunneling)
1. Connect to the ASA > Go to enable mode > Then to global configuration mode.
2. Now you need to create an object group for your remote VPN clients (show run ip local pool should tell you what subnet you are using). And create a NAT rule for traffic originating on the remote client and going back out of the ASA's outside interface.
3. Now as traffic is going to come in through the outside interface, turn around, and go back out of the same interface we need to allow that.
5. Save the changes.
3166 bytes copied in 0.890 secs [OK] PeteASA(config)#
Related Articles, References, Credits, or External Links