We had a customer create a task for a handful of users not being able to access the company's file server while working from home. The IT Director at this company used to work for aa different customer and had just recently moved to this company and inherited this network. After talking to him about this server, he said the IP address of the file server was 192.168.1.1. There were also a few other servers some people had trouble accessing at times, but the file server was the main server they needed. The issue was obvious in that the file server has the same IP address as many home routers.

The customer has a Cisco ASA, so I tired to setup AnyConnect to NAT the traffic across AnyConnect. I setup a twice NAT across the AnyConnect VPN tunnel, but when the DNS server replied with the IP addresses, the replies were not NAT'd. The solution to this is DNS Doctoring, but DNS Doctoring only works with object NAT so this did not work. We could have setup these users to connect to a different IP address when offsite so DNS Doctoring was not needed, but this did not seem like a good solution.

Cisco documentation on NAT across AnyConnect VPN tunnel: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html

The main user that was having this issue while out of town returned home so this issue became less of a priority. Ultimately, the solution is to change their internal IP scheme to not use the 192.168.1.0/24 or any other common IP subnet. The short-term work around for this customer should we need to do this again before we change the IP scheme will be to use RD Gateway and have users connect that way instead of via AnyConnect.