cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
110496
Views
50
Helpful
14
Comments
pcarco
Cisco Employee
Cisco Employee

Introduction:

This article was created due to the COVID-19 pandemic 

Cisco does not normally provide specific guidance around how you should design your VPN. AnyConnect and ASA Remote Access VPN (RA-VPN) is very powerful with a lot of configuration options to help your organization deploy in whatever way that best fits your needs. In response to the COVID-19 global pandemic, where customers are moving to 100% remote-access, and combining that with 100% virtual meetings (i.e.:WebEx), Cisco is breaking with tradition and providing some best-practice guidance for RA-VPN design. 

 

Cisco's guidance, especially in this time of global response, is to use Dynamic Split Tunneling to exclude the DNS names related to real-time communication software as a service (SaaS) tools, such as WebEx.

 

Please see the blog written by Aaron Woland  regarding DST Best Practices.

Dynamic Split Tunneling – a COVID-19 Best Practice 

 

 

Note: This article covers all forms of Split tunneling, including Dynamic Split Tunneling (DST) for your education and guidance. 

 

Due to the COVID-19 global pandemic, Cisco customers are increasing AnyConnect licenses to allow a surge of AnyConnect sessions to their current headend ASA/Firepower. Link to Cisco's Free Offers for COVID-19 Pandemic

Items of Note for the free AnyConnect Licenses: 

  • You are limited to the maximum VPN sessions supported by the head-end and not AnyConnect.
  • In many cases, customers are adding or repurposing existing hardware to increase the capacity in their VPN head-ends.

Thanks to most organizations moving to a 100% employee work-from-home, there is tremendous increased in the load on the internet gateways. Bandwidth is one of the implications of a sudden increase in AnyConnect sessions.

 

AnyConnect settings to help alleviate that increased load

Allow Local LAN Access

Local LAN Access allows users to maintain access to their [RFC1918] home networks while connected to the secure VPN tunnel. The Administrator does not require knowledge of the actual addressing scheme when configuring Local LAN Access.  AnyConnect is capable of deterring the local network and adjusts the secure route list dynamically to exclude the home network from the tunnel.
 
A common use case here is to allow users to print locally which would not be possible using a full tunnel vpn session. 

Split Tunneling 

Split tunneling has been in existence for a long time and in its traditional form is based on static statements using a standard access-list  to either include or exclude IP networks from the VPN Tunnel. 

Dynamic Split Tunneling

Dynamic Split Tunneling (DST) provides the ability to define domains that will be either included or excluded dynamically after the user resolves the domain using DNS.   This functionality occurs after the tunnel has been established and the non-secure and secure routes are adjusted accordingly based on the Administrators configuration. 

 

 

Split tunnel traffic based on domain

A good example would be to exclude traffic to SaaS services dynamically based on DNS resolution, so traffic destined to SaaS goes directly to the service, instead of through the tunnel.  Originally released with AC 4.5 and Enhanced In AC 4.6

AnyConnect 4.5.00058 New Features

AnyConnect 4.6.00362 New Features

ASA v9.0 >. required

Configure Split Tunneling 

Local Lan Access

Note: This is more for user convenience, rather than a bandwidth saver.

 

image-1.jpg

 

 

In an exclude-specified configuration; AnyConnect will  not tunnel traffic to or from the networks specified in the Network List. Traffic from or to all other addresses is tunneled.

 

The VPN client profile that is active on the client must have Local LAN Access enabled.  If the Administrator has configured the Local LAN Access setting to be User-Controllable the user will then have the ability to toggle this functionality Off/On using the Preferences tab in the AnyConnect UI.  To avoid this scenario simply uncheck User-Controllable in the profile to ensure Local LAN Access is always available. 

 

image-2.jpg

Demo exclude users home RFC1918 address space from VPN

 

Local LAN Access Demo - UX

 

Configuring Local LAN Access

 

Local LAN ASDM Configuration Group-Policy

image-3.jpg

 

 

Local LAN ASDM Configuration – Access List

image-4.jpg

 

AnyConnect Client Profile – Local LAN Access

 

The AnyConnect Client profile is an XML file that is present on the end users device.  The configured profile on the head-end will always be pushed to the end user if the the head-end determines during session establishment that the user does not have the most current or correct profile. 

 

The AnyConnect Client Profile (VPN) is applied to the group-policy on the head-end or. placed manually by the Administrator using a software management solution.   This profile controls most AnyConnect VPN features;  Local LAN Access being one of them.

 

image-5.jpg

 

Split Tunneling

 

Background:

AnyConnect by default will send (secure) all traffic over the tunnel if not specifically configured to do otherwise and 

although secure, a possible problem doing so is the high consumption of bandwidth with the routing of the user's traffic back to internet and SaaS resources.

Solution:

Split Tunneling as mentioned earlier  is a method of selectively designating traffic based on traditional IPv4/IPv6 networks or Dynamically based on domains to either be excluded or included in the secure tunnel.  This will reduce the consumption of bandwidth.

Two types of Split Tunneling:

Network Split Tunneling
Can be designed for include or exclude
Will specifically tunnel the traffic defined by an access-list (include)
Will specifically not tunnel the traffic defined by an ACL (exclude)
Dynamic Split Tunneling 
Can be designed for include or exclude
Will specifically tunnel DNS domains specified in a list (include)
Will specifically not tunnel DNS domains specified in a list (exclude)

 

 

Split Tunneling innclude/Tunnel specified

 

image-6.jpg

A tunnel-specified configurations tunnels all traffic to or from the networks specified in the Network List through the tunnel. Data to all other addresses travels in the clear.

 

Split Tunneling Demo - UX

 

Split Tunneling Configuration

Split Tunnel Include
ASDM Configuration – Group-Policy

Configured in the Group-Policy Advanced section

image-7.jpg

 

Split Tunnel
ASDM Configuration – Access List

image-8.jpg

 

Dynamic Split Tunneling

Dynamic Split Tunnel Exclude

image-9.jpg

 

The Dynamic-Split-Exclude-Domains configuration will dynamically provision split exclude tunneling after tunnel establishment, based on the host DNS domain name

AnyConnect will exclude the list of domains from the secure vpn tunnel and all other traffic will be sent over the secure VPN tunnel. 

 

Dynamic Split Exclude Demo - UX

 

Dynamic Split Tunneling Exclude Configuration

ASDM Configuration – Attribute Type

 

Enable dynamic split tunneling

Create a custom attribute type of dynamic-split-exclude-domains

This attribute type instructs AnyConnect to exclude any DNS names included in a dynamic-split-exclude list from being tunneled through the VPN.

 

image-10.jpg

 

 

Dynamic Split Tunnel Exclude
ASDM Configuration – Attribute Name

 

This is the list of DNS names to exclude from the VPN tunnel

This configuration can be applied to either a Group-Policy or a Dynamic Access Policy

image-11.jpg

 

Dynamic Split Tunnel Exclude
ASDM Configuration – Group Policy

image-12.jpg

 

Dynamic Split Tunnel Exclude
ASDM Configuration – Dynamic Access Policy (DAP)

Custom attributes are sent to and used by the AnyConnect client to configure features such as Deferred Upgrade, PerApp VPN and Dynamic Split Tunneling.   A custom attribute has a type and a named value.

image-13.jpg

 

 

Dynamic Split Tunnel Include

image-14.jpg

Another option is to configure Dynamic-Split Include-Domains.  This is the opposite behavior shown when using the previous dynamic-split-exclude-domains configuration.   AnyConnect will send only the domains listed in the configuration over the secure  vpn tunnel and all other traffic will be sent in the clear. 

 

Dynamic Split Include Demo - UX

Dynamic Split Include Configuration 


ASDM Configuration – Attribute Type

Creating this custom attribute, you can dynamically split include traffic after tunnel establishment

Based on the host DNS domain name. By adding dynamic-split-include-domains attribute

dynamic split include requires at least one static split include network, a single IP address would do, e.g. one of the DNS servers pushed to client.

 

image-15.jpg

 

Dynamic Split Tunnel Include
ASDM Configuration – Attribute Name

This configuration can be applied to either a Group-Policy or a Dynamic Access Policy.

Enter the domains, use comma separated values

The domains listed here and associated with the attribute Dynamic-split-Include-domains will traverse the tunnel after DNS resolution.

 

image-16.jpg

 

Dynamic Split Tunnel Include
ASDM Configuration – Group-Policy

 

image-17.jpg

 

Dynamic Split Tunnel Include
ASDM Configuration – Static Split Include Network

Dynamic split include requires at least one static split include network,

A single IP address would do, e.g. one of the DNS servers pushed to client.

image-18.jpg

 

Dynamic Split Tunnel Exclude
ASDM Configuration – Dynamic Access Policy (DAP)

Custom attributes are sent to and used by the AnyConnect client to configure features such as Deferred Upgrade, PerApp VPN and Dynamic Split Tunneling.  A custom attribute has a type and a named value.

 

image-19.jpg

Enhanced Dynamic Split Tunneling

Enhanced Dynamic Split Tunnel Exclude

When dynamic split exclude tunneling is configured with both split exclude and split include domains, in order for traffic to be dynamically excluded from the tunnel it must match at least one dynamic split exclude domain and no dynamic split include domains.

  • Supported in AnyConnect v4.6 >

Simple Use Case:

Customer needs to exclude traffic to google.com from the vpn tunnel however they need traffic to specific google domains i.e;  edu.google.com and classroom.google.com to traverse the vpn tunnel

 

image-20.jpg

 

Enhanced DST Exclude Demo - UX

image-21.jpg

Demo

DST Exclude: google.com

DST Include: edu.google.com,classroom.google.com

 

 

Enhanced DST Exclude Configuration

Enhanced Dynamic Split Tunnel Exclude - ASDM Configuration – Attribute Type

Enable dynamic split tunneling

Create a custom attribute type of dynamic-split-exclude-domains and dynamic-split-split-include-domains

The attribute-types and the associated attribute-names instruct AnyConnect on what is excluded from or included in the Secure

Tunnel.

 

image-22.jpg

 

Dynamic Split Tunnel Exclude - ASDM Configuration – Attribute Name

This is the list of domain names to exclude from the VPN tunnel

Note: This would typically be an extensive Comma-delimited list of domains.

This configuration can be applied to either a Group-Policy or a Dynamic Access Policy.

 

image-23.jpg

 

Dynamic Split Tunnel Include - ASDM Configuration – Attribute Name

This configuration can be applied to either a Group-Policy or a Dynamic Access Policy.

Enter the domains, use comma separated values

The domains listed here and associated with the attribute Dynamic-split-Include-domains will traverse the tunnel after DNS resolution.

image-24.jpg

 

Dynamic Split Tunnel Exclude - ASDM Configuration – Group-Policy

image-25.jpg

 

Dynamic Split Tunnel Include - ASDM Configuration – Group-Policy

image-26.jpg

 

Dynamic Split Tunnel (aka: SplitDNS)  - ASDM Configuration – Group-Policy cont..

image-27.jpg

Dynamic Split Tunnel Exclude & Include - ASDM Configuration – Dynamic Access Policy 

Custom attributes are sent to and used by the AnyConnect client to configure features such as Deferred Upgrade, PerApp VPN and Dynamic Split Tunneling.

A custom attribute has a type and a named value.

In this Use Case both Exclude and Include configurations are applied.

 

image-28.jpg

 

Enhanced Dynamic Split Include Tunneling

When dynamic split include tunneling is configured with both dynamic split-include and dynamic split-exclude domains, traffic that is marked to be included in the tunnel must match at least one of the dynamic-split-Include-domains but must not match any dynamic-split-exclude domains.

 

Supported in AnyConnect v4.6 >

 

Simple Use Case:

Customer needs to exclude traffic to edu.google.com and classroom.google.com from the vpn tunnel however they need traffic to all other google domains to traverse the vpntunnel (Included)

 

image-29.jpg

Enhanced DST Include Demo - UX

image-30.jpg

DST Exclude:

edu.google.com

classroom.google.com

 

DST Include:

google.com

 

Note: 0.0.0.0/0  Non-Secure Routes would indicate the DST Excluded domains configured as well as all other domains would be sent in the clear and not shown specifically in the UI

 

 

Enhanced DST Include Configuration

ASDM Configuration  - Enhanced DST Include

The only difference here is in the Attribute names list

Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attribute Names

 

image-31.jpg

 

Note:

Please refer to previous Use Case “Enhanced DST Exclude” for all other ASDM Configuration guidance.

 

</Carco>

 

Comments

Great article in these challenging times, great thanks Carco! We are planning to exclude dynamically a domain and we would like to know how granular can you be with the value, the use case for us is excluding Jabber DNS SRV lookup which looks like _collab-edge._tls.video.mycompany.com. Is there any way to exclude an SRV only and if not, would subdomains work like video.mycompany.com?

 

Thanks again,

Isidro

pcarco
Cisco Employee
Cisco Employee

Hello Isidro,

 

Thank you for the comments.     If you configure with the Attribute Type Dynamic-Split-Exclude-Domains with an Attribute names list that has video.mycompany.com it will essentially be a wildcard where any domain xxx.video.my.company.com ,yyy.video.mycompany.com, zzz.video.mycompany.com will be Excluded from the tunnel.   If for some reason you needed aaa.video.mycompany.com to traverse the tunnel you would also configure an Attribute type  Dynamic-Split-Include-Domain for the aaa.video.mycompany.com.

 

" the use case for us is excluding Jabber DNS SRV lookup which looks like _collab-edge._tls.video.mycompany.com."

Sorry not clear on this one.   Are you asking how to stop Jabber from trying to resolve over the tunnel ?

 

 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/b_AnyConnect_Administrator_Guide_4-7_chapter_01100.html#concept_fly_15q_tz

 

Dynamic Split Tunneling

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/b_AnyConnect_Administrator_Guide_4-7_chapter_01100.html#ID-1428-000003be

Hello Carco,

 

Yes, we want to make sure Jabber DNS SRV lookup goes out to an External DNS (outside VPN tunnel) rather than our corporate DNS so a different set of expressways are returned. In our company, _collab-edge._tls.video.mycompany.com exists in both, corporate DNS and public (Internet) DNS (Split-brain DNS). Each returns different set of Expressways. 

 

Let me know if it makes sense.

 

Thanks

Isidro

pcarco
Cisco Employee
Cisco Employee

Hello Isidro,

 

Unfortunately that is not possible today.  After reaching out to AC Development confirmed that there is an enhancement request in place to address your use case. 

 

The Split DNS behavior today is as follows:

 

“When split DNS is configured in the Network (Client) Access group policy, AnyConnect tunnels specific DNS queries to the private DNS server (also configured in the group policy). All other DNS queries go to the DNS resolver on the client operating system, in the clear, for DNS resolution. If split DNS is not configured, AnyConnect tunnels all DNS queries. “

 

"Currently split DNS only applies to split-include tunneling, i.e. tunnel specific networks *and* specific DNS traffic.

 

So what’s needed here is split-DNS for (static/dynamic) split-exclude tunneling, i.e. exclude from tunneling specific networks/domains *and* specific DNS traffic."  <-- this is the subject of the Enhancement request .

 

Best regards,
Paul Carco

Hello Paul,

 

I believe I didn't explain myself correctly. When a user connects through VPN, we want always  DNS lookups to video.mycompany.com to use computer's forwarder instead of being DNS requests being tunneled. So split DNS might be a confusion here, we don't need split DNS while on VPN. Users will only use internal video.mycompany.com when they return to office and their laptop DNS settings points to corporate ones (Anyconnect not launched).

I understand this is the standard Dynamic VPN tunneling explained in this document, where we exclude a single domain. My concern was that the initial DNS query to this domain is a SRV, which is not mentioned.

 

Best regards,

Isidro.

cmarva
Level 4
Level 4

just a general question. Do you know of any limitations as far as a maximum number of domains in the list? Not so much from defining the lsit on the asa, but from an anyconnect client, or windows standpoint. 

The reason I ask, and I'm pretty sure that others have been going through the same thing, is that the list of excludes that my management wants to exclude is now up to about 60, not including the list of IP ranges in the microsoft office/outlook document about optimizing over VPN. and I'm sure the list will continue to grow.

 

thank you, chris

cfortune2
Level 1
Level 1

We have the same question about is there a limit on the number of domains, we've seen a client event for Anyconnect saying that the list of domains was too long and it was ignoring 19 of the dynamic split domains.

 

Thanks,

Carl

pcarco
Cisco Employee
Cisco Employee

@cmarva @cfortune2 

 

Sorry for the delay

, if the input size is larger than 421 characters, the value is broken up into multiple values (each of them 421 characters or smaller). This is not a problem, as the values are concatenated when the VPN configuration is pushed to client, i.e. the client receives the custom attribute value as entered.

 

Slight correction.   5000 is your limit but ii the 421 blocks.

"Add the corresponding custom attribute names for each cloud/web service that needs access by the client from outside the VPN tunnel. For example, add Google_domains to represent a list of DNS domain names pertaining to Google web services. Define these domains in the Value portion of the AnyConnect Custom Attribute Names screen, using the comma-separated-values (CSV) format, which separates domains by a comma character. AnyConnect only takes into account the first 5000 characters, excluding separator characters (roughly 300 typically-sized domain names). Domain names beyond that limit are ignored.

A custom attribute cannot exceed 421 characters. If a larger value is entered, ASDM breaks it into multiple values capped at 421 characters. All values for a certain attribute type and name are concatenated by ASA when the configuration is pushed to the client."

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/asdm712/vpn/asdm-712-vpn-config/vpn-asdm-setup.html

 

Best regards,

 

Paul 

cmarva
Level 4
Level 4

ok, thank you, I appreciate it, chris

 

pcarco
Cisco Employee
Cisco Employee

You're very welcome.

travismdrake
Level 1
Level 1

Paul this has been very helpful for us thank you!

 

We are looking to split out our O365 traffic from the split tunnel, there's a ton of different directions out there either to use the IP's or the domains. TAC advised using the domains, is that we what you recommend for O365?

 

For those going through the same, we grabbed this script - https://github.com/microsoft/Office365NetworkTools/tree/master/Scripts/Display%20URL-IPs-Ports%20per%20Category

 

You enter your tenant name, run the script and it will give you the IP's & domains associated with your tenant. This made it easier to build the dynamic exclusions with only 4 domains instead of the MANY that we were finding in the Microsoft documentation.  

pcarco
Cisco Employee
Cisco Employee

@travismdrake     Good point,  I should link to that early in the article.  

 

Thank you for the feedback..

 

Best regards,
Paul

lmediavilla
Level 1
Level 1

The documentation is brilliant.

I am just missing the split tunnel for both ipv4 and ipv6 using an extended access list. It ain't trivial to deploy it.

EugeneL
Level 1
Level 1

Is there anything special that needs to be added in terms of NAT or similar ( same interface statements ) to allow the packet destined to the internet through tunnel . In my testing and packet tracer shows drop as a result.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: