Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1017
Views
0
Helpful
3
Replies

In a Split-Tunnel VPN routing Public Address

Cornelio M
Level 1
Level 1

‎06-21-2016 07:14 AM - edited ‎03-05-2019 04:16 AM

Hi, We have a Cisco ASA 5500 series Firewall where our employees connect via Cisco Anyconnect. Since then we used Split-Tunneling so our employees can connect to cloud based enterprise application without passing though our main link. However just recently we have another cloud base solution, this time it only allow one IP Address to connect to it. We put our external public gateway, it worked for employees in the office, but this solution is not working for employees that are around the world and always mobile. How can I force VPN clients to use our public gateway to access this cloud base solution, without removing the split-tunnel policy? I already put the exempt policy for the IP address but the routing stops in our Firewall. Any sample config will be very helpful and how to approach it. Thank you, 

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-21-2016 01:51 PM

You need to add the destination IP address of the new service into the split tunnel list.  You need need to configure the asa to nat this for (outside,outside) to your external public IP address that you want web browsing to come from, and you may need to create an access rule to allow this (the firewall logs are likely to tell you the answer).

0 Helpful

Cornelio M
Level 1
Level 1
In response to Philip D'Ath

‎06-21-2016 02:16 PM

Hi Philip,

Can you help with the an example. Just to put what you suggested in a configuration is this right?

Ex. Public IP:  8.8.8.7 (Public_IP)

      VPN IP pool: 192.168.252.0/24

      External IP: 9.9.9.253

* To include in the split-tunnel list

access-list vpnssl-split extended permit ip 8.8.8.7 255.255.255.255 192.168.252.0 255.255.255.0

* nat this for (outside,outside)

static (outside,outside) 8.8.8.7 9.9.9.253 netmask 255.255.255.255

* to create an access rule 

access-list outsite_acl extended permit tcp any object-group Public_IP

Thanks,

Cornelio

0 Helpful

gjburg
Level 1
Level 1
In response to Cornelio M

‎11-04-2020 04:42 AM - edited ‎11-04-2020 04:51 AM

Hi Philip

 

I'm struggeling with the same issue and can't find it and must do something wrong. But with the later ASDM the above nat cli command doesn't work any more. Could you please point me into the right direction for managing this. 

 

We use split tunnel anyconnect profile, and want to access an public url and because the whitelising on our office IP it needs to be tunneld into the ASA so that we access the website with out ASA's public IP. 

All possible NAT rules which I've tried don't work. 
Attached a screenshot from one of the nat tests (10.1.72.100-200) is the DHCP anyconnect scope VPN pool matching the acl's


Just tried to set it op with the website plain-text-ip.com which is 216.239.36.21 so see it it works and created an object external_test_url with this IP. And also put this IP in the splittunnel ACL and into the extended ACL for all ports. 

Somehow i'm missing somewhere something.

Regards
Gert

Preview file
30 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card