KB ID 0000977
I have answered a lot of questions in forums, that are worded something like, “When I have a remote client connected to my firewall VPN they lose Internet access!” Traditionally that’s exactly what the ‘default’ remote VPN solution (IPSEC or AnyConnect) gave you.
To ensure your remote VPN clients can access the Internet you have two options. The first (and most common) way is to enable ‘Split Tunneling’ this lets the user access the Internet form their LOCAL Internet connection.
Or you can provide Internet connection via the ASA’s public Internet connection, this is known as a ‘Tunnel All’ solution.
At this point I’m assuming you have a remote VPN setup and working, if not you need to do that first, here are some walk-throughs I’ve already done to help you set that up.
Option 1 (Split Tunneling)
Rather than re-invent the wheel, I’ve already covered this before in the following article.
Option 2 (Tunnel All Split Tunneling)
1. Connect to the ASA > Go to enable mode > Then to global configuration mode.
Type help or '?' for a list of available commands. PetesASA> enable Password: ****** PetesASA# configure terminal
2. Now you need to create an object group for your remote VPN clients (show run ip local pool should tell you what subnet you are using). And create a NAT rule for traffic originating on the remote client and going back out of the ASA’s outside interface.
PeteASA(config)# object network VPN_Pool PeteASA(config-network-object)# subnet 10.0.0.0 255.255.255.0 PeteASA(config-network-object)# nat (outside,outside) after-auto source dynamic VPN_Pool interface
3. Now as traffic is going to come in through the outside interface, turn around, and go back out of the same interface we need to allow that.
PeteASA(config)# same-security-traffic permit intra-interface
PeteASA(config)# group-policy SSL_Policy attributes PeteASA(config-group-policy)# split-tunnel-policy tunnelall PeteASA(config-group-policy)# split-tunnel-all-dns enable PeteASA(config-group-policy)# exit PeteASA(config)#
5. Save the changes.
PeteASA(config)# write mem Building configuration... Cryptochecksum: cb28eeb2 3d203272 eda92e1c a3b70d09
3166 bytes copied in 0.890 secs [OK] PeteASA(config)#
Related Articles, References, Credits, or External Links