Solved: AnyConnect Split-Tunnel Configuration

Scott_22 · ‎03-31-2020

We have a website that is accessible on the Internet and only allowed to be accessed via our public IP. We need vpn users to be able to access via anyconnect when they are not in the office. To accomplish this, do I just add the IP of the website into the split tunnel acl?

Rob Ingram · ‎03-31-2020

Hi,

Yes, you will need to include that IP address in the split-tunnel ACL.

Also you will probably need to create a NAT rule for the VPN Pool, e.g:-

object network VPN_POOL
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface

...and permit traffic sourced from the outside interface to be routed back out the outside interface.

same-security-traffic permit intra-interface

HTH

View solution in original post

Rob Ingram · ‎03-31-2020

Hi,

Yes, you will need to include that IP address in the split-tunnel ACL.

Also you will probably need to create a NAT rule for the VPN Pool, e.g:-

object network VPN_POOL
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface

...and permit traffic sourced from the outside interface to be routed back out the outside interface.

same-security-traffic permit intra-interface

HTH