cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
118559
Views
50
Helpful
14
Comments
pcarco
Cisco Employee
Cisco Employee

Introduction:

This article was created due to the COVID-19 pandemic 

Cisco does not normally provide specific guidance around how you should design your VPN. AnyConnect and ASA Remote Access VPN (RA-VPN) is very powerful with a lot of configuration options to help your organization deploy in whatever way that best fits your needs. In response to the COVID-19 global pandemic, where customers are moving to 100% remote-access, and combining that with 100% virtual meetings (i.e.:WebEx), Cisco is breaking with tradition and providing some best-practice guidance for RA-VPN design. 

 

Cisco's guidance, especially in this time of global response, is to use Dynamic Split Tunneling to exclude the DNS names related to real-time communication software as a service (SaaS) tools, such as WebEx.

 

Please see the blog written by Aaron Woland  regarding DST Best Practices.

Dynamic Split Tunneling – a COVID-19 Best Practice 

 

 

Note: This article covers all forms of Split tunneling, including Dynamic Split Tunneling (DST) for your education and guidance. 

 

Due to the COVID-19 global pandemic, Cisco customers are increasing AnyConnect licenses to allow a surge of AnyConnect sessions to their current headend ASA/Firepower. Link to Cisco's Free Offers for COVID-19 Pandemic

Items of Note for the free AnyConnect Licenses: 

  • You are limited to the maximum VPN sessions supported by the head-end and not AnyConnect.
  • In many cases, customers are adding or repurposing existing hardware to increase the capacity in their VPN head-ends.

Thanks to most organizations moving to a 100% employee work-from-home, there is tremendous increased in the load on the internet gateways. Bandwidth is one of the implications of a sudden increase in AnyConnect sessions.

 

AnyConnect settings to help alleviate that increased load

Allow Local LAN Access

Local LAN Access allows users to maintain access to their [RFC1918] home networks while connected to the secure VPN tunnel. The Administrator does not require knowledge of the actual addressing scheme when configuring Local LAN Access.  AnyConnect is capable of deterring the local network and adjusts the secure route list dynamically to exclude the home network from the tunnel.
 
A common use case here is to allow users to print locally which would not be possible using a full tunnel vpn session. 

Split Tunneling 

Split tunneling has been in existence for a long time and in its traditional form is based on static statements using a standard access-list  to either include or exclude IP networks from the VPN Tunnel. 

Dynamic Split Tunneling

Dynamic Split Tunneling (DST) provides the ability to define domains that will be either included or excluded dynamically after the user resolves the domain using DNS.   This functionality occurs after the tunnel has been established and the non-secure and secure routes are adjusted accordingly based on the Administrators configuration. 

 

 

Split tunnel traffic based on domain

A good example would be to exclude traffic to SaaS services dynamically based on DNS resolution, so traffic destined to SaaS goes directly to the service, instead of through the tunnel.  Originally released with AC 4.5 and Enhanced In AC 4.6

AnyConnect 4.5.00058 New Features

AnyConnect 4.6.00362 New Features

ASA v9.0 >. required

Configure Split Tunneling 

Local Lan Access

Note: This is more for user convenience, rather than a bandwidth saver.

 

image-1.jpg

 

 

In an exclude-specified configuration; AnyConnect will  not tunnel traffic to or from the networks specified in the Network List. Traffic from or to all other addresses is tunneled.

 

The VPN client profile that is active on the client must have Local LAN Access enabled.  If the Administrator has configured the Local LAN Access setting to be User-Controllable the user will then have the ability to toggle this functionality Off/On using the Preferences tab in the AnyConnect UI.  To avoid this scenario simply uncheck User-Controllable in the profile to ensure Local LAN Access is always available. 

 

image-2.jpg

Demo exclude users home RFC1918 address space from VPN

 

Local LAN Access Demo - UX

LocalLanDemo.mp4
Video Player is loading.
Current Time 0:00
Duration 0:57
Loaded: 0.00%
Stream Type LIVE
Remaining Time 0:57
 
1x
    • Chapters
    • descriptions off, selected
    • captions off, selected
    • en (Main), selected
    (view in My Videos)

     

    Configuring Local LAN Access

     

    Local LAN ASDM Configuration Group-Policy

    image-3.jpg

     

     

    Local LAN ASDM Configuration – Access List

    image-4.jpg

     

    AnyConnect Client Profile – Local LAN Access

     

    The AnyConnect Client profile is an XML file that is present on the end users device.  The configured profile on the head-end will always be pushed to the end user if the the head-end determines during session establishment that the user does not have the most current or correct profile. 

     

    The AnyConnect Client Profile (VPN) is applied to the group-policy on the head-end or. placed manually by the Administrator using a software management solution.   This profile controls most AnyConnect VPN features;  Local LAN Access being one of them.

     

    image-5.jpg

     

    Split Tunneling

     

    Background:

    AnyConnect by default will send (secure) all traffic over the tunnel if not specifically configured to do otherwise and 

    although secure, a possible problem doing so is the high consumption of bandwidth with the routing of the user's traffic back to internet and SaaS resources.

    Solution:

    Split Tunneling as mentioned earlier  is a method of selectively designating traffic based on traditional IPv4/IPv6 networks or Dynamically based on domains to either be excluded or included in the secure tunnel.  This will reduce the consumption of bandwidth.

    Two types of Split Tunneling:

    Network Split Tunneling
    Can be designed for include or exclude
    Will specifically tunnel the traffic defined by an access-list (include)
    Will specifically not tunnel the traffic defined by an ACL (exclude)
    Dynamic Split Tunneling 
    Can be designed for include or exclude
    Will specifically tunnel DNS domains specified in a list (include)
    Will specifically not tunnel DNS domains specified in a list (exclude)

     

     

    Split Tunneling innclude/Tunnel specified

     

    image-6.jpg

    A tunnel-specified configurations tunnels all traffic to or from the networks specified in the Network List through the tunnel. Data to all other addresses travels in the clear.

     

    Split Tunneling Demo - UX

    SplitTunnelIncludedemoo.mp4
    Video Player is loading.
    Current Time 0:00
    Duration 0:27
    Loaded: 0.00%
    Stream Type LIVE
    Remaining Time 0:27
     
    1x
      • Chapters
      • descriptions off, selected
      • captions off, selected
      • default, selected
      (view in My Videos)

       

      Split Tunneling Configuration

      Split Tunnel Include
      ASDM Configuration – Group-Policy

      Configured in the Group-Policy Advanced section

      image-7.jpg

       

      Split Tunnel
      ASDM Configuration – Access List

      image-8.jpg

       

      Dynamic Split Tunneling

      Dynamic Split Tunnel Exclude

      image-9.jpg

       

      The Dynamic-Split-Exclude-Domains configuration will dynamically provision split exclude tunneling after tunnel establishment, based on the host DNS domain name

      AnyConnect will exclude the list of domains from the secure vpn tunnel and all other traffic will be sent over the secure VPN tunnel. 

       

      Dynamic Split Exclude Demo - UX

      DST_exclude.mp4
      Video Player is loading.
      Current Time 0:00
      Duration 0:00
      Loaded: 0%
      Stream Type LIVE
      Remaining Time 0:00
       
      1x
        • Chapters
        • descriptions off, selected
        • captions off, selected
        • en (Main), selected
        (view in My Videos)

         

        Dynamic Split Tunneling Exclude Configuration

        ASDM Configuration – Attribute Type

         

        Enable dynamic split tunneling

        Create a custom attribute type of dynamic-split-exclude-domains

        This attribute type instructs AnyConnect to exclude any DNS names included in a dynamic-split-exclude list from being tunneled through the VPN.

         

        image-10.jpg

         

         

        Dynamic Split Tunnel Exclude
        ASDM Configuration – Attribute Name

         

        This is the list of DNS names to exclude from the VPN tunnel

        This configuration can be applied to either a Group-Policy or a Dynamic Access Policy

        image-11.jpg

         

        Dynamic Split Tunnel Exclude
        ASDM Configuration – Group Policy

        image-12.jpg

         

        Dynamic Split Tunnel Exclude
        ASDM Configuration – Dynamic Access Policy (DAP)

        Custom attributes are sent to and used by the AnyConnect client to configure features such as Deferred Upgrade, PerApp VPN and Dynamic Split Tunneling.   A custom attribute has a type and a named value.

        image-13.jpg

         

         

        Dynamic Split Tunnel Include

        image-14.jpg

        Another option is to configure Dynamic-Split Include-Domains.  This is the opposite behavior shown when using the previous dynamic-split-exclude-domains configuration.   AnyConnect will send only the domains listed in the configuration over the secure  vpn tunnel and all other traffic will be sent in the clear. 

         

        Dynamic Split Include Demo - UX

        DST_Include.mp4
        Video Player is loading.
        Current Time 0:00
        Duration 1:35
        Loaded: 0%
        Stream Type LIVE
        Remaining Time 1:35
         
        1x
          • Chapters
          • descriptions off, selected
          • captions off, selected
          • default, selected
          (view in My Videos)

          Dynamic Split Include Configuration 


          ASDM Configuration – Attribute Type

          Creating this custom attribute, you can dynamically split include traffic after tunnel establishment

          Based on the host DNS domain name. By adding dynamic-split-include-domains attribute

          dynamic split include requires at least one static split include network, a single IP address would do, e.g. one of the DNS servers pushed to client.

           

          image-15.jpg

           

          Dynamic Split Tunnel Include
          ASDM Configuration – Attribute Name

          This configuration can be applied to either a Group-Policy or a Dynamic Access Policy.

          Enter the domains, use comma separated values

          The domains listed here and associated with the attribute Dynamic-split-Include-domains will traverse the tunnel after DNS resolution.

           

          image-16.jpg

           

          Dynamic Split Tunnel Include
          ASDM Configuration – Group-Policy

           

          image-17.jpg

           

          Dynamic Split Tunnel Include
          ASDM Configuration – Static Split Include Network

          Dynamic split include requires at least one static split include network,

          A single IP address would do, e.g. one of the DNS servers pushed to client.

          image-18.jpg

           

          Dynamic Split Tunnel Exclude
          ASDM Configuration – Dynamic Access Policy (DAP)

          Custom attributes are sent to and used by the AnyConnect client to configure features such as Deferred Upgrade, PerApp VPN and Dynamic Split Tunneling.  A custom attribute has a type and a named value.

           

          image-19.jpg

          Enhanced Dynamic Split Tunneling

          Enhanced Dynamic Split Tunnel Exclude

          When dynamic split exclude tunneling is configured with both split exclude and split include domains, in order for traffic to be dynamically excluded from the tunnel it must match at least one dynamic split exclude domain and no dynamic split include domains.

          • Supported in AnyConnect v4.6 >

          Simple Use Case:

          Customer needs to exclude traffic to google.com from the vpn tunnel however they need traffic to specific google domains i.e;  edu.google.com and classroom.google.com to traverse the vpn tunnel

           

          image-20.jpg

           

          Enhanced DST Exclude Demo - UX

          image-21.jpg

          Demo

          DST Exclude: google.com

          DST Include: edu.google.com,classroom.google.com

           

          Enhanced_DST_Exclude_Demo_v1.mp4
          Video Player is loading.
          Current Time 0:00
          Duration 1:42
          Loaded: 0%
          Stream Type LIVE
          Remaining Time 1:42
           
          1x
            • Chapters
            • descriptions off, selected
            • captions off, selected
            • en (Main), selected
            (view in My Videos)

             

            Enhanced DST Exclude Configuration

            Enhanced Dynamic Split Tunnel Exclude - ASDM Configuration – Attribute Type

            Enable dynamic split tunneling

            Create a custom attribute type of dynamic-split-exclude-domains and dynamic-split-split-include-domains

            The attribute-types and the associated attribute-names instruct AnyConnect on what is excluded from or included in the Secure

            Tunnel.

             

            image-22.jpg

             

            Dynamic Split Tunnel Exclude - ASDM Configuration – Attribute Name

            This is the list of domain names to exclude from the VPN tunnel

            Note: This would typically be an extensive Comma-delimited list of domains.

            This configuration can be applied to either a Group-Policy or a Dynamic Access Policy.

             

            image-23.jpg

             

            Dynamic Split Tunnel Include - ASDM Configuration – Attribute Name

            This configuration can be applied to either a Group-Policy or a Dynamic Access Policy.

            Enter the domains, use comma separated values

            The domains listed here and associated with the attribute Dynamic-split-Include-domains will traverse the tunnel after DNS resolution.

            image-24.jpg

             

            Dynamic Split Tunnel Exclude - ASDM Configuration – Group-Policy

            image-25.jpg

             

            Dynamic Split Tunnel Include - ASDM Configuration – Group-Policy

            image-26.jpg

             

            Dynamic Split Tunnel (aka: SplitDNS)  - ASDM Configuration – Group-Policy cont..

            image-27.jpg

            Dynamic Split Tunnel Exclude & Include - ASDM Configuration – Dynamic Access Policy 

            Custom attributes are sent to and used by the AnyConnect client to configure features such as Deferred Upgrade, PerApp VPN and Dynamic Split Tunneling.

            A custom attribute has a type and a named value.

            In this Use Case both Exclude and Include configurations are applied.

             

            image-28.jpg

             

            Enhanced Dynamic Split Include Tunneling

            When dynamic split include tunneling is configured with both dynamic split-include and dynamic split-exclude domains, traffic that is marked to be included in the tunnel must match at least one of the dynamic-split-Include-domains but must not match any dynamic-split-exclude domains.

             

            Supported in AnyConnect v4.6 >

             

            Simple Use Case:

            Customer needs to exclude traffic to edu.google.com and classroom.google.com from the vpn tunnel however they need traffic to all other google domains to traverse the vpntunnel (Included)

             

            image-29.jpg

            Enhanced DST Include Demo - UX

            image-30.jpg

            DST Exclude:

            edu.google.com

            classroom.google.com

             

            DST Include:

            google.com

             

            Note: 0.0.0.0/0  Non-Secure Routes would indicate the DST Excluded domains configured as well as all other domains would be sent in the clear and not shown specifically in the UI

             

            Enhanced_DST_Include.mp4
            Video Player is loading.
            Current Time 0:00
            Duration 0:00
            Loaded: 0%
            Stream Type LIVE
            Remaining Time 0:00
             
            1x
              • Chapters
              • descriptions off, selected
              • captions off, selected
              • en (Main), selected
              (view in My Videos)

               

              Enhanced DST Include Configuration

              ASDM Configuration  - Enhanced DST Include

              The only difference here is in the Attribute names list

              Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attribute Names

               

              image-31.jpg

               

              Note:

              Please refer to previous Use Case “Enhanced DST Exclude” for all other ASDM Configuration guidance.

               

              </Carco>

               

              Comments

              Great article in these challenging times, great thanks Carco! We are planning to exclude dynamically a domain and we would like to know how granular can you be with the value, the use case for us is excluding Jabber DNS SRV lookup which looks like _collab-edge._tls.video.mycompany.com. Is there any way to exclude an SRV only and if not, would subdomains work like video.mycompany.com?

               

              Thanks again,

              Isidro

              pcarco
              Cisco Employee
              Cisco Employee

              Hello Isidro,

               

              Thank you for the comments.     If you configure with the Attribute Type Dynamic-Split-Exclude-Domains with an Attribute names list that has video.mycompany.com it will essentially be a wildcard where any domain xxx.video.my.company.com ,yyy.video.mycompany.com, zzz.video.mycompany.com will be Excluded from the tunnel.   If for some reason you needed aaa.video.mycompany.com to traverse the tunnel you would also configure an Attribute type  Dynamic-Split-Include-Domain for the aaa.video.mycompany.com.

               

              " the use case for us is excluding Jabber DNS SRV lookup which looks like _collab-edge._tls.video.mycompany.com."

              Sorry not clear on this one.   Are you asking how to stop Jabber from trying to resolve over the tunnel ?

               

               

              https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/b_AnyConnect_Administrator_Guide_4-7_chapter_01100.html#concept_fly_15q_tz

               

              Dynamic Split Tunneling

              https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/b_AnyConnect_Administrator_Guide_4-7_chapter_01100.html#ID-1428-000003be

              Hello Carco,

               

              Yes, we want to make sure Jabber DNS SRV lookup goes out to an External DNS (outside VPN tunnel) rather than our corporate DNS so a different set of expressways are returned. In our company, _collab-edge._tls.video.mycompany.com exists in both, corporate DNS and public (Internet) DNS (Split-brain DNS). Each returns different set of Expressways. 

               

              Let me know if it makes sense.

               

              Thanks

              Isidro

              pcarco
              Cisco Employee
              Cisco Employee

              Hello Isidro,

               

              Unfortunately that is not possible today.  After reaching out to AC Development confirmed that there is an enhancement request in place to address your use case. 

               

              The Split DNS behavior today is as follows:

               

              “When split DNS is configured in the Network (Client) Access group policy, AnyConnect tunnels specific DNS queries to the private DNS server (also configured in the group policy). All other DNS queries go to the DNS resolver on the client operating system, in the clear, for DNS resolution. If split DNS is not configured, AnyConnect tunnels all DNS queries. “

               

              "Currently split DNS only applies to split-include tunneling, i.e. tunnel specific networks *and* specific DNS traffic.

               

              So what’s needed here is split-DNS for (static/dynamic) split-exclude tunneling, i.e. exclude from tunneling specific networks/domains *and* specific DNS traffic."  <-- this is the subject of the Enhancement request .

               

              Best regards,
              Paul Carco

              Hello Paul,

               

              I believe I didn't explain myself correctly. When a user connects through VPN, we want always  DNS lookups to video.mycompany.com to use computer's forwarder instead of being DNS requests being tunneled. So split DNS might be a confusion here, we don't need split DNS while on VPN. Users will only use internal video.mycompany.com when they return to office and their laptop DNS settings points to corporate ones (Anyconnect not launched).

              I understand this is the standard Dynamic VPN tunneling explained in this document, where we exclude a single domain. My concern was that the initial DNS query to this domain is a SRV, which is not mentioned.

               

              Best regards,

              Isidro.

              cmarva
              Level 4
              Level 4

              just a general question. Do you know of any limitations as far as a maximum number of domains in the list? Not so much from defining the lsit on the asa, but from an anyconnect client, or windows standpoint. 

              The reason I ask, and I'm pretty sure that others have been going through the same thing, is that the list of excludes that my management wants to exclude is now up to about 60, not including the list of IP ranges in the microsoft office/outlook document about optimizing over VPN. and I'm sure the list will continue to grow.

               

              thank you, chris

              cfortune2
              Level 1
              Level 1

              We have the same question about is there a limit on the number of domains, we've seen a client event for Anyconnect saying that the list of domains was too long and it was ignoring 19 of the dynamic split domains.

               

              Thanks,

              Carl

              pcarco
              Cisco Employee
              Cisco Employee

              @cmarva @cfortune2 

               

              Sorry for the delay

              , if the input size is larger than 421 characters, the value is broken up into multiple values (each of them 421 characters or smaller). This is not a problem, as the values are concatenated when the VPN configuration is pushed to client, i.e. the client receives the custom attribute value as entered.

               

              Slight correction.   5000 is your limit but ii the 421 blocks.

              "Add the corresponding custom attribute names for each cloud/web service that needs access by the client from outside the VPN tunnel. For example, add Google_domains to represent a list of DNS domain names pertaining to Google web services. Define these domains in the Value portion of the AnyConnect Custom Attribute Names screen, using the comma-separated-values (CSV) format, which separates domains by a comma character. AnyConnect only takes into account the first 5000 characters, excluding separator characters (roughly 300 typically-sized domain names). Domain names beyond that limit are ignored.

              A custom attribute cannot exceed 421 characters. If a larger value is entered, ASDM breaks it into multiple values capped at 421 characters. All values for a certain attribute type and name are concatenated by ASA when the configuration is pushed to the client."

               

              https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/asdm712/vpn/asdm-712-vpn-config/vpn-asdm-setup.html

               

              Best regards,

               

              Paul 

              cmarva
              Level 4
              Level 4

              ok, thank you, I appreciate it, chris

               

              pcarco
              Cisco Employee
              Cisco Employee

              You're very welcome.

              travismdrake
              Level 1
              Level 1

              Paul this has been very helpful for us thank you!

               

              We are looking to split out our O365 traffic from the split tunnel, there's a ton of different directions out there either to use the IP's or the domains. TAC advised using the domains, is that we what you recommend for O365?

               

              For those going through the same, we grabbed this script - https://github.com/microsoft/Office365NetworkTools/tree/master/Scripts/Display%20URL-IPs-Ports%20per%20Category

               

              You enter your tenant name, run the script and it will give you the IP's & domains associated with your tenant. This made it easier to build the dynamic exclusions with only 4 domains instead of the MANY that we were finding in the Microsoft documentation.  

              pcarco
              Cisco Employee
              Cisco Employee

              @travismdrake     Good point,  I should link to that early in the article.  

               

              Thank you for the feedback..

               

              Best regards,
              Paul

              lmediavilla
              Level 1
              Level 1

              The documentation is brilliant.

              I am just missing the split tunnel for both ipv4 and ipv6 using an extended access list. It ain't trivial to deploy it.

              EugeneL
              Level 1
              Level 1

              Is there anything special that needs to be added in terms of NAT or similar ( same interface statements ) to allow the packet destined to the internet through tunnel . In my testing and packet tracer shows drop as a result.

              Getting Started

              Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: