cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12639
Views
25
Helpful
14
Replies

Anyconnect Exclude List not working.

danbryan80
Level 1
Level 1

I am using Anyconnect and I have a group policy configured with a split tunnel policy to "Exclude Network Lists Below".  I created a list to define my local LAN which I don't want to be "secured by the vpn".  Whenever I VPN in, it still forces all traffic to be secured.  On the contrary, if I set the tunnel policy to "Include networks below" and define a network that I want to force through the tunnel, that setting does get carried though to the any connect client.  What could cause a Exclude list to not show up, but an include list does?

1 Accepted Solution

Accepted Solutions

Hello Daniel,

I think you did not follow my instructions, it  is just

access-list Local_LAN_Access standard permit host 0.0.0.0

access-list Local_LAN_Access remark VPN-Local-LAN-Access

You need to take the rest out from the ACL

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

14 Replies 14

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Daniel,

I think you are confused with the use of the VPN Split-tunnel

What you are going to place in the Split-tunnel is witch traffic (Destination) will be encrypted so for example if you just want to encrypt the data going to the other side of the tunnel or all traffic (Default)

Hope I understood the question

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

So, I am on the 100.100.60.0/24 network and I VPN into my development network. 192.168.0.0/24.  I only want to encrypt traffic going to the 192.168.0.0/24 network, I want to EXCLUDE traffic going from the 10.100.60.0/24 network.  Whenever i configure my group policy to exclude traffic going to PKILAB, and define PKILAB as 100.100.60.0/24 it still tries to send traffic desitned for the PKILAB over the VPN, when it should be excluding it.  But I know the group policy settings are getting applied because other items such as the DNS get sent to anyconnect client settings.

Hello Daniel,

Just to make sure we are on the same page

192.168.0.0/24---ASA---INTERNET-------Anyconnect client at 100.100.60.0.24

Is that correct? if yes and you only want to encrypt the traffic going to the 192. from your client here is what you need

access-list test standard permit 192.168.0.0 255.255.255.0

group-policy whatever attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test

Turn down the tunnel and give it a try

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Client IP: 10.100.60.47/24

Local lab segments:

10.100.60.0/24

192.168.50.0/24

asa.securesub.net:8080 Anyconnect Gateway to my remote Lab

Once I am connected to my remote lab I am given A client IP address of 192.168.0.193/24

My remote lab has 2 different subnets:

192.168.0.0/24

192.168.101.0/24

When I connect to the ASA, I am haveing "0.0.0.0 secured"  This prevents me from being able to access the to Local subnets.  I should be able to say "Split tunnel, and Exclude 10.100.60./ and 192.168.50.0 from being sent through the tunnel".  See picture.

http://i.imgur.com/ZJoS1.png

Hello Daniel,

The image does not work!

Why don't you try with my configuration, please

access-list test standard permit 192.168.0.0 255.255.255.0

access-list test standard permit 192.168.101.0 255.255.255.0

group-policy whatever attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

When I use the config you mentioned where i only define which traffic i want to secure it allows me to access my secured resources and my local resources, but it doesn't tunnel my UNKNOWN(internet browsing) through the tunnel which is one of my goals.  Thats why i was trying to go the exclude route. 

I have tried to add 0.0.0.0/24 to the permited list of traffic to be secured, but that doesnt seem to work.

Hello Daniel,

Okay I now understand what you mean....

Why don't you try with my configuration, please

access-list 2test standard permit 10.100.60.0 255.255.255.0

access-list 2test standard permit 192.168.50.0 255.255.255.0

group-policy whatever attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value 2test

Turn the tunnel down and re-connect

If this by any chance does not work please paste your group policy and tunnel group setup ( you can change the outside Ip addresses of coure)

Regards,

Remember to rate the helpful posts

Julio


Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

group-policy Vandyke internal

group-policy Vandyke attributes

wins-server none

dns-server value 192.168.0.25 4.2.2.2

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VANDYKE_EXCLUDES

default-domain value securesub.net

split-dns value 192.168.0.25

asa(config)# sh run | i VANDYKE

access-list VANDYKE_EXCLUDES remark SECURESUB_WIFI

access-list VANDYKE_EXCLUDES standard permit 192.168.101.0 255.255.255.0

access-list VANDYKE_EXCLUDES remark SECURESUB_LAN

access-list VANDYKE_EXCLUDES standard permit 192.168.0.0 255.255.255.0

access-list VANDYKE_EXCLUDES remark BOOZE-PKI LAB

access-list VANDYKE_EXCLUDES standard deny 10.100.60.0 255.255.255.0

access-list VANDYKE_EXCLUDES remark INTERNET TRAFFIC

access-list VANDYKE_EXCLUDES standard permit any

Hello Daniel,

Right now the configuration is not the one I sent you.

Check this :

split-tunnel-policy tunnelspecified

Can you changed the setup to this:

access-list 2test standard permit 10.100.60.0 255.255.255.0

access-list 2test standard permit 192.168.50.0 255.255.255.0

group-policy whatever attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value 2test

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I think were mis communicating.  I made the changes you asked me to try(see below) and now I can no longer access Booze-pki lab, or Vandyke_wifi resources.  Also I am now unable to access any of my VPN resources from securesub.  In addition, my internet traffic is not being sent through the VPN.

asa(config)# sh run | i split-tunnel-policy tunnelspecified

split-tunnel-policy tunnelspecified

asa(config)# sh run | i VANDYKE

access-list VANDYKE_EXCLUDES remark BOOZE-PKI LAB

access-list VANDYKE_EXCLUDES standard permit 10.100.60.0 255.255.255.0

access-list VANDYKE_EXCLUDES remark VANDYKE_WIFI

access-list VANDYKE_EXCLUDES standard permit 192.168.50.0 255.255.255.0

split-tunnel-network-list value VANDYKE_EXCLUDES

A quick summary of my setup:

I am on a LAN segment 10.100.60.0/24 and need to be able to access recources on the segment as well as the 192.168.50.0 segment.  I can do this without using a VPN.  I also want to be able to access my VPN resources(securesub Lan and securesub WIFI).  I Also want all Internet traffic while connected to the VPN to get routed through securesub.

So I should be Securing "Securesub_LAN, Securesub_WIFI, and Internet) and not securing 10.100.60.0 or 192.168.50.0 if i understand correctly

Hello Daniel,

Interesting, never had this issue before,

Okay time to use the following:

access-list Local_LAN_Access standard permit host 0.0.0.0

access-list Local_LAN_Access remark VPN-Local-LAN-Access

group-policy Vandyke attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

Now starting from AnyConnect 2.3 version, Local LAN Access is disabled by default so you need to enable it from the Anyconnect client  preference settings.

Let me know how it goes,

Rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

access-list VANDYKE_EXCLUDES remark Securesub_LAN

access-list VANDYKE_EXCLUDES standard permit 192.168.0.0 255.255.255.0

access-list VANDYKE_EXCLUDES remark Securesub_WIFI

access-list VANDYKE_EXCLUDES standard permit 192.168.101.0 255.255.255.0

access-list VANDYKE_EXCLUDES remark INTERNET

access-list VANDYKE_EXCLUDES standard permit host 0.0.0.0

split-tunnel-network-list value VANDYKE_EXCLUDES

IMy internet traffic is not being tunneled. The rest works well.

Hello Daniel,

I think you did not follow my instructions, it  is just

access-list Local_LAN_Access standard permit host 0.0.0.0

access-list Local_LAN_Access remark VPN-Local-LAN-Access

You need to take the rest out from the ACL

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks

Review Cisco Networking for a $25 gift card