Explanation: The reason is that by default, the SSL VPN clients use split tunneling, which means they only send traffic destined for the corporate network through the VPN tunnel, and use their local gateway for other traffic, such as browsing the internet. This means that when they search for their IP address on a browser, they will see their local IP address, not the IP address of the ASA.
To change this behavior, you need to configure the Group Policy on the ASA to tunnel all networks, which means that all traffic from the SSL VPN clients will go through the VPN tunnel, regardless of the destination. This way, when they search for their IP address on a browser, they will see the IP address of the ASA, which is 3.3.3.3.
To configure tunnel all networks under Group Policy, you can use either ASDM or CLI. For example, using ASDM, you can follow these steps1:
- Choose Configuration > Remote Access VPN > Network (Client) Access > Group Policies.
- Select the group policy that you want to modify and click Edit.
- In the Edit Internal Group Policy window, choose Advanced > Split Tunneling.
- In the Policy drop-down list, choose Tunnel All Networks.
- Click OK and then Apply.
Using CLI, you can enter these commands:
ciscoasa(config)# group-policy attributes ciscoasa(config-group-policy)# split-tunnel-policy tunnelall