cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

AnyConnect Split Tunneling (Local Lan Access, Split Tunneling, Static & Dynamic (domain)

4590
Views
25
Helpful
3
Comments

 

This article was created due to the COVID-19 pandemic 

Customers are increasing AnyConnect licenses to allow a surge of AnyConnect sessions to their current headend ASA/Firepower.
If using only existing hardware they are limited to the maximum VPN sessions supported by the headend and not AnyConnect.
In many cases customers are adding or repurposing existing hardware to increase the capacity in their Internet gateways.
 

Increased load on the internet gateways Bandwidth is one of the implications of a sudden increase in AnyConnect sessions 

AnyConnect settings to help

Allow Local LAN Access

Easily allow users to access their home networks [RFC1918] while connected to the tunnel. Without knowing their actual home addressing scheme.
i.e., Connect to home network printer, etc..

Split Tunneling 

Traditional IP based tunnel specified include/exclude statements

Dynamic Split Tunneling

Split tunnel traffic based on domain

i.e., Exclude traffic to SaaS services dynamically based on DNS resolution, so traffic destined to SaaS goes directly to the service, instead of through the tunnel.  Originally released with AC 4.5 and Enhanced In AC 4.6

AnyConnect 4.5.00058 New Features

AnyConnect 4.6.00362 New Features

ASA v9.0 >. required

Configure Split Tunneling 

Local Lan Access Demo

 

Note: More of a User convenience than a bandwidth saver

 

image-1.jpg

 

 

Excludespecified — Does not tunnel traffic to or from the networks specified in the Network List. Traffic from or to all other addresses is tunneled.

 

The VPN client profile that is active on the client must have Local LAN Access enabled

 

image-2.jpg

Demo exclude users home RFC1918 address space from VPN

 

(view in My Videos)

 

Configuring Local LAN Access

 

Local LAN ASDM Configuration Group-Policy

image-3.jpg

 

 

Local LAN ASDM Configuration – Access List

image-4.jpg

 

AnyConnect Client Profile – Local LAN Access

 

  • Applied to Group-Policy
  • Pushed to Client
  • Controls most AC features
  • Local LAN Access must be enabled here.
  • User Controllable allows the end-user to enable/disable access

image-5.jpg

 

Split Tunneling

Background:

AnyConnect by default will send (secure) all traffic over the tunnel.

Although secure, a possible problem doing so is the high consumption of bandwidth with the routing of the user's traffic back to internet and SaaS resources.

Solution:

Split Tunneling is a method of selectively designating traffic based on traditional IPv4/IPv6 networks or Dynamically based on domains to either be excluded or included in the secure tunnel.  This will reduce the consumption of bandwidth.

Two types of Split Tunneling

Network Split Tunneling
Can be designed for include or exclude
Will specifically tunnel the traffic defined by an access-list (include)
Will specifically not tunnel the traffic defined by an ACL (exclude)
•Dynamic Split Tunneling 
Can be designed for include or exclude
Will specifically tunnel DNS domains specified in a list (include)
Will specifically not tunnel DNS domains specified in a list (exclude)

Split Tunneling Configuration

 

Split Tunneling innclude/Tunnel specified

 

image-6.jpg

Tunnelspecified— Tunnels all traffic to or from the networks specified in the Network List through the tunnel. Data to all other addresses travels in the clear.

 

(view in My Videos)

Split Tunnel Include
ASDM Configuration – Group-Policy

Configured in the Group-Policy Advanced section

image-7.jpg

 

Split Tunnel
ASDM Configuration – Access List

image-8.jpg

 

Dynamic Split Tunneling

Dynamic Split Tunnel Exclude

image-9.jpg

 

Dynamically provision split exclude tunneling after tunnel establishment, based on the host DNS domain name
(Do not send over the tunnel)

 

Demo Exclude Google Domains

(view in My Videos)

 

Dynamic Split Tunnel Exclude  

ASDM Configuration – Attribute Type

 

Enable dynamic split tunneling

Create a custom attribute type of dynamic-split-exclude-domains

This attribute type instructs AnyConnect to exclude any DNS names included in a dynamic-split-exclude list from being tunneled through the VPN.

 

image-10.jpg

 

 

Dynamic Split Tunnel Exclude
ASDM Configuration – Attribute Name

 

This is the list of DNS names to exclude from the VPN tunnel

This configuration can be applied to either a Group-Policy or a Dynamic Access Policy

image-11.jpg

 

Dynamic Split Tunnel Exclude
ASDM Configuration – Group Policy

image-12.jpg

 

Dynamic Split Tunnel Exclude
ASDM Configuration – Dynamic Access Policy (DAP)

Custom attributes are sent to and used by the AnyConnect client to configure features such as Deferred Upgrade, PerApp VPN and Dynamic Split Tunneling.   A custom attribute has a type and a named value.

image-13.jpg

 

 

Dynamic Split Tunnel Include

image-14.jpg

Dynamically provision split include tunneling after tunnel establishment, based on the host DNS domain name.

 

Send  Included domains over the tunnel. All other domains sent in the clear.

 

Demo include cisco and securitydemo domains

(view in My Videos)

 

Dynamic Split Tunnel Include
ASDM Configuration – Attribute Type

Creating this custom attribute, you can dynamically split include traffic after tunnel establishment

Based on the host DNS domain name. By adding dynamic-split-include-domains attribute

dynamic split include requires at least one static split include network, a single IP address would do, e.g. one of the DNS servers pushed to client.

 

image-15.jpg

 

Dynamic Split Tunnel Include
ASDM Configuration – Attribute Name

This configuration can be applied to either a Group-Policy or a Dynamic Access Policy.

Enter the domains, use comma separated values

The domains listed here and associated with the attribute Dynamic-split-Include-domains will traverse the tunnel after DNS resolution.

 

image-16.jpg

 

Dynamic Split Tunnel Include
ASDM Configuration – Group-Policy

 

image-17.jpg

 

Dynamic Split Tunnel Include
ASDM Configuration – Static Split Include Network

Dynamic split include requires at least one static split include network,

A single IP address would do, e.g. one of the DNS servers pushed to client.

image-18.jpg

 

Dynamic Split Tunnel Exclude
ASDM Configuration – Dynamic Access Policy (DAP)

Custom attributes are sent to and used by the AnyConnect client to configure features such as Deferred Upgrade, PerApp VPN and Dynamic Split Tunneling.  A custom attribute has a type and a named value.

 

image-19.jpg

 

Dynamic Split Tunneling  Enhanced
Flexibility

Enhanced Dynamic Split Tunnel Exclude

When dynamic split exclude tunneling is configured with both split exclude and split include domains, in order for traffic to be dynamically excluded from the tunnel it must match at least one dynamic split exclude domain and no dynamic split include domains.

  • Supported in AnyConnect v4.6 >

Simple Use Case:

Customer needs to exclude traffic to google.com from the vpn tunnel however they need traffic to specific google domains i.e;  edu.google.com and classroom.google.com to traverse the vpn tunnel

 

image-20.jpg

 

Enhanced DST Exclude Demo

image-21.jpg

Demo

DST Exclude: google.com

DST Include: edu.google.com,classroom.google.com

 

(view in My Videos)

 

Enhanced Dynamic Split Tunnel Exclude - ASDM Configuration – Attribute Type

Enable dynamic split tunneling

Create a custom attribute type of dynamic-split-exclude-domains and dynamic-split-split-include-domains

The attribute-types and the associated attribute-names instruct AnyConnect on what is excluded from or included in the Secure

Tunnel.

 

image-22.jpg

 

Dynamic Split Tunnel Exclude - ASDM Configuration – Attribute Name

This is the list of domain names to exclude from the VPN tunnel

Note: This would typically be an extensive Comma-delimited list of domains.

This configuration can be applied to either a Group-Policy or a Dynamic Access Policy.

 

image-23.jpg

 

Dynamic Split Tunnel Include - ASDM Configuration – Attribute Name

This configuration can be applied to either a Group-Policy or a Dynamic Access Policy.

Enter the domains, use comma separated values

The domains listed here and associated with the attribute Dynamic-split-Include-domains will traverse the tunnel after DNS resolution.

image-24.jpg

 

Dynamic Split Tunnel Exclude - ASDM Configuration – Group-Policy

image-25.jpg

 

Dynamic Split Tunnel Include - ASDM Configuration – Group-Policy

image-26.jpg

 

Dynamic Split Tunnel (aka: SplitDNS)  - ASDM Configuration – Group-Policy cont..

image-27.jpg

Dynamic Split Tunnel Exclude & Include - ASDM Configuration – Dynamic Access Policy 

Custom attributes are sent to and used by the AnyConnect client to configure features such as Deferred Upgrade, PerApp VPN and Dynamic Split Tunneling.

A custom attribute has a type and a named value.

In this Use Case both Exclude and Include configurations are applied.

 

image-28.jpg

 

Enhanced Dynamic Split Tunnel Include

When dynamic split include tunneling is configured with both dynamic split-include and dynamic split-exclude domains, traffic that is marked to be included in the tunnel must match at least one of the dynamic-split-Include-domains but must not match any dynamic-split-exclude domains.

 

Supported in AnyConnect v4.6 >

 

Simple Use Case:

Customer needs to exclude traffic to edu.google.com and classroom.google.com from the vpn tunnel however they need traffic to all other google domains to traverse the vpntunnel (Included)

 

image-29.jpg

Enhanced DST Include Demo

image-30.jpg

DST Exclude:

edu.google.com

classroom.google.com

 

DST Include:

google.com

 

Note: 0.0.0.0/0  Non-Secure Routes would indicate the DST Excluded domains configured as well as all other domains would be sent in the clear and not shown specifically in the UI

 

(view in My Videos)

 

ASDM Configuration  - Enhanced DST Include

The only difference here is in the Attribute names list

Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attribute Names

 

image-31.jpg

 

Note:

Please refer to previous Use Case “Enhanced DST Exclude” for all other ASDM Configuration guidance.

 

</Carco>

 

Comments

Great article in these challenging times, great thanks Carco! We are planning to exclude dynamically a domain and we would like to know how granular can you be with the value, the use case for us is excluding Jabber DNS SRV lookup which looks like _collab-edge._tls.video.mycompany.com. Is there any way to exclude an SRV only and if not, would subdomains work like video.mycompany.com?

 

Thanks again,

Isidro

Cisco Employee

Hello Isidro,

 

Thank you for the comments.     If you configure with the Attribute Type Dynamic-Split-Exclude-Domains with an Attribute names list that has video.mycompany.com it will essentially be a wildcard where any domain xxx.video.my.company.com ,yyy.video.mycompany.com, zzz.video.mycompany.com will be Excluded from the tunnel.   If for some reason you needed aaa.video.mycompany.com to traverse the tunnel you would also configure an Attribute type  Dynamic-Split-Include-Domain for the aaa.video.mycompany.com.

 

" the use case for us is excluding Jabber DNS SRV lookup which looks like _collab-edge._tls.video.mycompany.com."

Sorry not clear on this one.   Are you asking how to stop Jabber from trying to resolve over the tunnel ?

 

 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/b_AnyConnect_Administrator_Guide_4-7_chapter_01100.html#concept_fly_15q_tz

 

Dynamic Split Tunneling

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/b_AnyConnect_Administrator_Guide_4-7_chapter_01100.html#ID-1428-000003be

Hello Carco,

 

Yes, we want to make sure Jabber DNS SRV lookup goes out to an External DNS (outside VPN tunnel) rather than our corporate DNS so a different set of expressways are returned. In our company, _collab-edge._tls.video.mycompany.com exists in both, corporate DNS and public (Internet) DNS (Split-brain DNS). Each returns different set of Expressways. 

 

Let me know if it makes sense.

 

Thanks

Isidro