I am testing implementation of AnyConnect where AnyConnect client, after establishing IPSec VPN tunnel, must exit to Internet via L3 device that is located on the same network as RA VPN clients, behind inside interface of ASA.
There is no split tunneling, tunnelall is defined.
After connection, VPN client gets appropriate default gateway, from pool of IP addresses, gets the address that ends with 1. That is the address of my L3 device.
After connection, VPN client can ping every host behing ASA inside interface, including default gateway.
Also, I can ping VPN client from hosts on inside network.
But, I can not exit the Internet. What could be the problem?
When I tried to connect, in logs I see message … Flow is a loopback…something like that.
On what I should pay attention?
Best Answer
Flow is a loopbacklog message indicates that the traffic is entering and exiting on the same ASA interface. And by default, ASA does not allow this traffic.To fix this issue, you need two things:
same-security-traffic permit intra-interfaceVPN_Pool object-group) to access the Internet. For example:nat (outside,outside) after-auto source dynamic VPN_Pool interface(I assume that your internet-facing interface is outside).I hope it is helpful and you can solve it.