topic Re: Anyconnect Split tunneling Config on IOS in VPN

Anyconnect Split tunneling Config on IOS

ssg14 — Mon, 05 Aug 2019 06:13:38 GMT

Hi,

I have configured anyconnect on IOS and working perfectly fine , my policy is as below:

Policy group Panzer-SSL
functions svc-enabled
svc address-pool "SSL-VPN" netmask 255.255.255.0
svc split include 10.0.0.0 255.255.255.0
default-group-policy Panzer-SSL
!

My question is:

** How can i force client to push all traffic (including internet) through anyconnet , at the moment i have only managed to make it work it with Split tunneling and as soon as i remove "svc split include 10.0.0.0 255.255.255.0" it stops working.

Also tried to remove "functions svc-enabled"to stop split tunnelin , again client can't login.

Should I create an ACL?

Any thoughts?

Thanks
Samy

Re: Anyconnect Split tunneling Config on IOS

Philip D'Ath — Fri, 02 Aug 2019 01:42:06 GMT

That should work. Perhaps try the extreme:

svc split include 0.0.0.0 0.0.0.0

Re: Anyconnect Split tunneling Config on IOS

ssg14 — Fri, 02 Aug 2019 05:45:39 GMT

Thanks Philip for coming back,

I removed the svc split include 10.0.0.0 and instead added
svc split include 0.0.0.0 0.0.0.0
svc dns-server primary 8.8.8.8

The route received by my anyconnect client changed to 0.0.0.0 (as expected) but my machine can't hit anywhere outside of the local network 😞

On the config for anyconnect I used virtual-template cloning int vlan1 IP (Int VLAN 1 is the actual gateway for connected devices to the router)

When i traceroute from anyconnect client after i changed the config , I hit int vlan1 as the first hop then get blackholed there. Am i missing anything?

Here is my config:

webvpn gateway Panzer-Gateway
ip interface Dialer0 port 443
ssl trustpoint SSL-VPN
inservice
!
webvpn context Panzer-SSL
!
acl "Panzer-SSL"
permit ip any any
virtual-template 1
aaa authentication list SSL-VPN
gateway Panzer-Gateway
!
ssl authenticate verify all
inservice
!
policy group Panzer-SSL
acl "Panzer-SSL"
functions svc-enabled
svc address-pool "SSL-VPN" netmask 255.255.255.0
svc dns-server primary 8.8.8.8
default-group-policy Panzer-SSL

Thanks
Samy

Re: Anyconnect Split tunneling Config on IOS

Marvin Rhoads — Fri, 02 Aug 2019 09:30:42 GMT

You need a NAT rule for the VPN clients to be assigned a public IP address for their Internet-bound traffic.

Re: Anyconnect Split tunneling Config on IOS

shgrover — Sat, 03 Aug 2019 14:07:37 GMT

Hey,

You need and outside to outside nat rule.

nat (outside,outside) source dynamic vpn-pool interface

however make sure its below the nat exempt statement on your ASA that is being used by your anyconnect clients to access the internal network.

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

Re: Anyconnect Split tunneling Config on IOS

ssg14 — Sun, 04 Aug 2019 10:24:37 GMT

@Marvin Rhoads wrote:
You need a NAT rule for the VPN clients to be assigned a public IP address for their Internet-bound traffic.

Thanks Marvin,

I have carved out for example 10.0.0.100-110 for VPN client , 10.0.0.0/24 is the local LAN range on the router which already has a NAT rule.

My assumption is router will treat anyconnect client same as locally connected 10.0.0.x/24 while same subnet.

Should I create a separate subnet and separate NAT rule?

Re: Anyconnect Split tunneling Config on IOS

ssg14 — Mon, 05 Aug 2019 06:15:21 GMT

@shgrover wrote:
Hey,

You need and outside to outside nat rule.

nat (outside,outside) source dynamic vpn-pool interface

however make sure its below the nat exempt statement on your ASA that is being used by your anyconnect clients to access the internal network.

Regards
Shikha Grover
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Shikha,

Thanks but I'm doing it on 2921 router and not ASA.

Do I need specific NAT rule for IOS although Anyconnect IP falls under inside NATed IP?

I have attached the config to my original message as well if you need to check it.

Cheers

Samy

Re: Anyconnect Split tunneling Config on IOS

Marvin Rhoads — Mon, 05 Aug 2019 12:13:35 GMT

Your challenge is known as "hairpinning".

Please see this article which describes the challenge and provides a solution:

https://packetu.com/2012/06/26/nat-vpns-and-hairpinning-internet-traffic-in-ios/