Re: ASA Split Tunneling/Dynamic-Attributes

andreasalberti · ‎02-01-2022

Good day,

I can't really get any further.

We have set up both an acl and custom attributes for dynamic tunnel exclusions.

In order to reach the local VM on the host, we have stored a private 172 IP range inside our acl for the tunnel exclusion.

Unfortunately, this is only drawn very sporadically.

Sometimes i can see the mentioned IP 172.x.x.x in "unsecured routes", but most of the time its not working.

has anyone ever had similar experiences?
could the problem be due to the private ip range?
The public ips are pulled without problems.

I would be happy about any ideas.

best regards

andreasalberti · ‎02-01-2022

I think i found something...

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#Cisco_Task_in_List_GUI.dita_3a9a8101-f034-4e9b-b24a-486ee47b5e9f

Maybe this is going to solve my problem.

Cheers

andreasalberti · ‎02-02-2022

Update:

if you have similar problems.
It is important to enable local lan access in anyconnect profile. As a result, the IP addresses of the virtual adapters only appear in unsecured routes.

In combination, access to local machines works despite a connected vpn.