topic Re: ISE Posturing and Split Tunnel in Network Access Control

ISE Posturing and Split Tunnel

CCertified85 — Fri, 21 Feb 2020 18:55:24 GMT

Hello All,

My posturing is working fine but i tried to enable Split tunnel from ASA it is not coming into effect

I asked Cisco TAC if we can push split tunnel ACL from ISE but as per Engineer it is not supported

My issue is i am getting 0.0.0.0/0 which will not be acceptable by Client as they need to access internet and other resources out of the tunnel

Please help

Re: ISE Posturing and Split Tunnel

Rob Ingram — Mon, 07 May 2018 12:58:14 GMT

Hi,
When the ISE Posture agent attempts to run it will attempt to communicate with the discovery host (if defined) and enroll.cisco.com (default), you will need to ensure these are tunneled through the VPN.

HTH

Re: ISE Posturing and Split Tunnel

CCertified85 — Mon, 07 May 2018 13:00:46 GMT

Hi,

What discovery Host and Enroll has the connection to Split Tunnel ?

Re: ISE Posturing and Split Tunnel

Rob Ingram — Mon, 07 May 2018 14:43:11 GMT

The ISE Posture agent needs to send probes, one of the probes if configured is a discovery host inside your network. If that is not configured then it will send one to enroll.cisco.com. This FQDN needs to be successfully resolvable by DNS server. In VPN scenario with split-tunnel, traffic to enroll.cisco.com has to be routed through the tunnel.

nslookup enroll.cisco.com
Non-authoritative answer:
Name: mus.cisco.com
Addresses: 2001:420:1100:ff::
72.163.1.80 <<< this is the ip address you need to included in your split-tunnel policy to route back over the VPN.

Re: ISE Posturing and Split Tunnel

CCertified85 — Tue, 24 Jul 2018 12:06:14 GMT

Thanks after adding this Public IP in Split tunnel my issue was resolved

Re: ISE Posturing and Split Tunnel

muhammadatif0304 — Sun, 02 May 2021 19:57:16 GMT

Can you please share split-tunnel and redirect ACL configuration ?

Re: ISE Posturing and Split Tunnel

Marcelo Morais — Sun, 02 May 2021 20:19:21 GMT

Hi @muhammadatif0304 ,

for Split-Tunnel ... please take a look at: ASA/PIX: Allow Split Tunneling for VPN Client on the ASA Configuration Example. or ASA 8.x: Allow Split Tunneling for VPN Client on the ASA Configuration Example.

for Redirect-ACL ... please take a look at: ASA Version 9.2.1 VPN Posture with ISE Configuration Example, search for redirect-acl.

Hope this helps !!!

Re: ISE Posturing and Split Tunnel

muhammadatif0304 — Sun, 02 May 2021 20:30:30 GMT

Hi there, thanks for sharing links. I have already split-tunnel and allowed
enroll.cisco.com via tunnel but client provisioning portal doesn't work
automatically

When i turned off split-tunnel and allow all traffic through tunnel it works

Re: ISE Posturing and Split Tunnel

edwardwaithaka — Thu, 23 Feb 2023 11:13:22 GMT

The following has to be done to make enroll.cisco.com activate the posture when doing split tunneling.

1) Add the enroll.cisco.com public IP 72.163.1.80 to the split tunnel ACL

2) Configure NO-NAT for the IP 72.163.1.80 as it goes from outside (ravpn) to inside (lan)

3) Configure a route on the INSIDE leg e.g. route IF_INSIDE 72.163.1.80 255.255.255.255 <inside P2P next hop>

The above will "fool" AC client to send traffic towards the LAN but will instead get redirected and hence activate posture client.