cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4135
Views
5
Helpful
8
Replies

ISE Posturing and Split Tunnel

CCertified85
Level 1
Level 1

Hello All,

 

My posturing is working fine but i tried to enable Split tunnel from ASA it is not coming into effect

I asked Cisco TAC if we can push split tunnel ACL from ISE but as per Engineer it is not supported

 

My issue is i am getting 0.0.0.0/0 which will not be acceptable by Client as they need to access internet and other resources out of the tunnel

 

Please help

 

1 Accepted Solution

Accepted Solutions

The ISE Posture agent needs to send probes, one of the probes if configured is a discovery host inside your network. If that is not configured then it will send one to enroll.cisco.com. This FQDN needs to be successfully resolvable by DNS server. In VPN scenario with split-tunnel, traffic to enroll.cisco.com has to be routed through the tunnel.

 

nslookup enroll.cisco.com
Non-authoritative answer:
Name:    mus.cisco.com
Addresses:  2001:420:1100:ff::
          72.163.1.80 <<< this is the ip address you need to included in your split-tunnel policy to route back over the VPN.

 

 

View solution in original post

8 Replies 8

Hi,
When the ISE Posture agent attempts to run it will attempt to communicate with the discovery host (if defined) and enroll.cisco.com (default), you will need to ensure these are tunneled through the VPN.

HTH

Hi,

 

What discovery Host and Enroll has the connection to Split Tunnel ?

The ISE Posture agent needs to send probes, one of the probes if configured is a discovery host inside your network. If that is not configured then it will send one to enroll.cisco.com. This FQDN needs to be successfully resolvable by DNS server. In VPN scenario with split-tunnel, traffic to enroll.cisco.com has to be routed through the tunnel.

 

nslookup enroll.cisco.com
Non-authoritative answer:
Name:    mus.cisco.com
Addresses:  2001:420:1100:ff::
          72.163.1.80 <<< this is the ip address you need to included in your split-tunnel policy to route back over the VPN.

 

 

Thanks after adding this Public IP in Split tunnel my issue was resolved

Can you please share split-tunnel and redirect ACL configuration ?

Hi there, thanks for sharing links. I have already split-tunnel and allowed
enroll.cisco.com via tunnel but client provisioning portal doesn't work
automatically

When i turned off split-tunnel and allow all traffic through tunnel it works

edwardwaithaka
Level 1
Level 1

The following has to be done to make enroll.cisco.com activate the posture when doing split tunneling.

1) Add the enroll.cisco.com public IP 72.163.1.80 to the split tunnel ACL

2) Configure NO-NAT for the IP 72.163.1.80 as it goes from outside (ravpn) to inside (lan)

3) Configure a route on the INSIDE leg e.g. route IF_INSIDE 72.163.1.80 255.255.255.255 <inside P2P next hop>

The above will "fool" AC client to send traffic towards the LAN but will instead get redirected and hence activate posture client. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: