The dynamic split tunneling exclusions address scenarios when traffic pertaining to a certain service needs to be excluded from the VPN tunnel dynamically, at run time
Use case when you have a public cloud service with wide range of public IPs which needs to be excluded from VPN connection such as O365 in run time and dynamically.
Depending on split tunneling policy configured, dynamic split tunneling exclusion is applied as follow:
Tunnel All Networks—All exclusions from the VPN tunnel are dynamic.
Exclude Specific Networks—Dynamic exclusions are added to preconfigured static ones.
Include Specific Networks—Dynamic exclusions are only relevant if at least one IP address of the excluded host names overlaps with a split include network. Otherwise, the traffic is already excluded from the VPN tunnel, and no dynamic exclusion is performed.
Define the custom attribute type in the WebVPN context with the following command: anyconnect-custom-attr dynamic-split-exclude-domains description dynamic split exclude domains
Define the custom attribute names for each cloud/web service that needs access by the client outside the VPN tunnel. For example, add Google_domains to represent a list of DNS domain names pertaining to Google web services. The attribute value contains the list of domain names to exclude from the VPN tunnel and must be in comma-separated-values (CSV) format using the following as an example:anyconnect-custom-data dynamic-split-exclude-domains webex_service_domains webex.com, webexconnect.com, tags.tiqcdn.com
Attach the previously defined custom attribute to a certain policy group with the following command, executed in the group-policy attributes context:anyconnect-custom dynamic-split-exclude-domains value webex_service_domains
Hello, I have an installation where I would like to migrate classic licenses from asa to smart licenses for firepower 2110 on fmc. Do I have to open a case to Cisco or could I do it from the portal? Thanks in advance, Konstantinos
Dear all. yesterday I configured External Threat Feed in cisco esa. In order test it I send malicious url from my personal email to corporate email. that email directly send to Outbreak quarantine and approximately 1 hour later that email released from qu...
Hi All, I am facing some challenges in profiling a few endpoints with static IP addresses. 1- HP printers with static IPFrom the radius probe alone the printers were identified as "HP-Device" which will include the HP laptops as well. So I tried...