How to configure AnyConnect to choose between split-tunnel or tunnel-all profiles?

steve32881 — Tue, 26 Jan 2021 14:49:29 GMT

Hi,

I currently have a split-tunnel vpn and its working just fine. Now I would like to offer the possibility for users to select a "tunnel-all" profile when connecting to their VPN.

I did some research and found that I can create multiple tunnel-groups and group-policies, one of which will have the split-tunnel-policy as tunnel-all.

So am I safe to assume that all I need is to create a new tunnel-group and matching group policy? I pasted below what I intend to use.

Existing CONFIG

tunnel-group ANYCONNECT-PROFILE type remote-access

tunnel-group ANYCONNECT-PROFILE general-attributes

address-pool ANYCONNECT-POOL

default-group-policy GroupPolicy_ANYCONNECT-POLICY

password-management password-expire-in-days 7

tunnel-group ANYCONNECT-PROFILE webvpn-attributes

group-alias ANYCONNECT-PROFILE enable

group-policy GroupPolicy_ANYCONNECT-POLICY internal

group-policy GroupPolicy_ANYCONNECT-POLICY attributes

wins-server none

dns-server value 1.1.1.1 8.8.8.8

vpn-tunnel-protocol l2tp-ipsec ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

webvpn

anyconnect keep-installer installed

anyconnect dpd-interval client 30

anyconnect ask none default anyconnect

_________________________________________________________

CONFIG to add

tunnel-group ANYCONNECT-FULL type remote-access

tunnel-group ANYCONNECT-FULL general-attributes

address-pool ANYCONNECT-POOL

default-group-policy GroupPolicy_ANYCONNECT-FULL

password-management password-expire-in-days 7

tunnel-group ANYCONNECT-FULL webvpn-attributes

group-alias ANYCONNECT-FULL enable

group-policy GroupPolicy_ANYCONNECT-FULL internal

group-policy GroupPolicy_ANYCONNECT-FULL attributes

wins-server none

dns-server value 1.1.1.1 8.8.8.8

vpn-tunnel-protocol l2tp-ipsec ssl-client

split-tunnel-policy tunnelall

webvpn

anyconnect keep-installer installed

anyconnect dpd-interval client 30

anyconnect ask none default anyconnect

Re: How to configure AnyConnect to choose between split-tunnel or tunnel-all profiles?

Marvin Rhoads — Tue, 26 Jan 2021 16:18:18 GMT

Yes - your understanding is correct. With what you have proposed, users will be able to will select which profile to use from a drop down list when they connect.

Re: How to configure AnyConnect to choose between split-tunnel or tunnel-all profiles?

MHM Cisco World — Tue, 26 Jan 2021 18:56:30 GMT

Re: How to configure AnyConnect to choose between split-tunnel or tunnel-all profiles?

steve32881 — Tue, 26 Jan 2021 18:51:50 GMT

Thanks for looking into it and confirming =]

Re: How to configure AnyConnect to choose between split-tunnel or tunnel-all profiles?

MHM Cisco World — Tue, 26 Jan 2021 19:56:41 GMT

tunnel-group-list enable<- only this command missing from config.

topic Re: How to configure AnyConnect to choose between split-tunnel or tunnel-all profiles? in Network Security

How to configure AnyConnect to choose between split-tunnel or tunnel-all profiles?

Re: How to configure AnyConnect to choose between split-tunnel or tunnel-all profiles?

Re: How to configure AnyConnect to choose between split-tunnel or tunnel-all profiles?

Re: How to configure AnyConnect to choose between split-tunnel or tunnel-all profiles?

Re: How to configure AnyConnect to choose between split-tunnel or tunnel-all profiles?