User Guide

Table Of Contents

Cisco AnyConnect Secure Mobility Solution Guide

Supported Architectures

• The WSA receives web traffic redirected from the WCCP router and enforces

its policies on the traffic received from the AnyConnect client. If the WSA

grants access to the web request, it rewrites the traffic prior to forwarding it

to the Internet via its default route, the ASA. This will enable the ASA to

return the traffic back to the WSA for scanning and policy enforcement. You

must ensure that the WSA has a route to return successfully scanned traffic

back to the AnyConnect client. For example, you could add a static route to

the WSA to send all traffic destined for the client IP address pool

(

10.10.10.0/8) back to the ASA.

Note Non-web traffic sent from the Internet back to the ASA will be dropped if the

source and destination of that traffic is in the AnyConnect client IP address pool

(

10.10.10.0/8). To prevent this, you can configure a static route (route inside

10.10.10.0 255.0.0.0 192.168.1.2

) on the ASA to enable it to forward the

traffic back to the AnyConnect client IP address pool.

All Secure Mobility components reside on a flat network, allowing the WCCP

router to use layer 2 redirection instead of Generic Routing Encapsulation (GRE).

GRE adds traffic overhead, works at layer 3, and is required when the WCCP

router and the WSA are on different subnets.

When the ASA acts as both the remote access and Internet gateway as shown in

Figure 1 on page 8, Network Address Translation (NAT) or Port Address

Translation (PAT) must be configured on the ASA to route non-web traffic or

traffic from the private IP address space to the Internet. In addition, to prevent

traffic sent from the enterprise network back to the AnyConnect client from being

subjected to the NAT or PAT command, you must configure a NAT Exemption rule

for the defined AnyConnect client IP address pool.