05-07-2018 05:40 AM - edited 02-21-2020 10:55 AM
Hello All,
My posturing is working fine but i tried to enable Split tunnel from ASA it is not coming into effect
I asked Cisco TAC if we can push split tunnel ACL from ISE but as per Engineer it is not supported
My issue is i am getting 0.0.0.0/0 which will not be acceptable by Client as they need to access internet and other resources out of the tunnel
Please help
Solved! Go to Solution.
05-07-2018 07:43 AM
The ISE Posture agent needs to send probes, one of the probes if configured is a discovery host inside your network. If that is not configured then it will send one to enroll.cisco.com. This FQDN needs to be successfully resolvable by DNS server. In VPN scenario with split-tunnel, traffic to enroll.cisco.com has to be routed through the tunnel.
nslookup enroll.cisco.com
Non-authoritative answer:
Name: mus.cisco.com
Addresses: 2001:420:1100:ff::
72.163.1.80 <<< this is the ip address you need to included in your split-tunnel policy to route back over the VPN.
05-07-2018 05:58 AM
05-07-2018 06:00 AM
Hi,
What discovery Host and Enroll has the connection to Split Tunnel ?
05-07-2018 07:43 AM
The ISE Posture agent needs to send probes, one of the probes if configured is a discovery host inside your network. If that is not configured then it will send one to enroll.cisco.com. This FQDN needs to be successfully resolvable by DNS server. In VPN scenario with split-tunnel, traffic to enroll.cisco.com has to be routed through the tunnel.
nslookup enroll.cisco.com
Non-authoritative answer:
Name: mus.cisco.com
Addresses: 2001:420:1100:ff::
72.163.1.80 <<< this is the ip address you need to included in your split-tunnel policy to route back over the VPN.
07-24-2018 05:06 AM
Thanks after adding this Public IP in Split tunnel my issue was resolved
05-02-2021 12:57 PM
Can you please share split-tunnel and redirect ACL configuration ?
05-02-2021 01:19 PM
Hi @muhammadatif0304 ,
for Split-Tunnel ... please take a look at: ASA/PIX: Allow Split Tunneling for VPN Client on the ASA Configuration Example. or ASA 8.x: Allow Split Tunneling for VPN Client on the ASA Configuration Example.
for Redirect-ACL ... please take a look at: ASA Version 9.2.1 VPN Posture with ISE Configuration Example, search for redirect-acl.
Hope this helps !!!
05-02-2021 01:30 PM
02-23-2023 03:13 AM
The following has to be done to make enroll.cisco.com activate the posture when doing split tunneling.
1) Add the enroll.cisco.com public IP 72.163.1.80 to the split tunnel ACL
2) Configure NO-NAT for the IP 72.163.1.80 as it goes from outside (ravpn) to inside (lan)
3) Configure a route on the INSIDE leg e.g. route IF_INSIDE 72.163.1.80 255.255.255.255 <inside P2P next hop>
The above will "fool" AC client to send traffic towards the LAN but will instead get redirected and hence activate posture client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide