cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

270
Views
0
Helpful
7
Replies
Beginner

Anyconnect Split tunneling Config on IOS

Hi,

 

I have configured anyconnect on IOS and working perfectly fine , my policy is as below:

!

Policy group Panzer-SSL
functions svc-enabled
svc address-pool "SSL-VPN" netmask 255.255.255.0
svc split include 10.0.0.0 255.255.255.0
default-group-policy Panzer-SSL
!

My question is:

** How can i force client to push all traffic (including internet) through anyconnet , at the moment i have only managed to make it work it with Split tunneling and as soon as i remove "svc split include 10.0.0.0 255.255.255.0" it stops working.

Also tried to remove "functions svc-enabled"to stop split tunnelin , again client can't login.


Should I create an ACL?

 

Any thoughts?

 

Thanks
Samy

7 REPLIES 7
VIP Advisor

Re: Anyconnect Split tunneling Config on IOS

That should work.  Perhaps try the extreme:

 

svc split include 0.0.0.0 0.0.0.0

Beginner

Re: Anyconnect Split tunneling Config on IOS

Thanks Philip for coming back,

 

I removed the svc split include 10.0.0.0 and instead added
svc split include 0.0.0.0 0.0.0.0
svc dns-server primary 8.8.8.8

The route received by my anyconnect client changed to 0.0.0.0 (as expected) but my machine can't hit anywhere outside of the local network :(

On the config for anyconnect I used virtual-template cloning int vlan1 IP (Int VLAN 1 is the actual gateway for connected devices to the router)

When i traceroute from anyconnect client after i changed the config , I hit int vlan1 as the first hop then get blackholed there. Am i missing anything?

 

Here is my config:

webvpn gateway Panzer-Gateway
ip interface Dialer0 port 443
ssl trustpoint SSL-VPN
inservice
!
webvpn context Panzer-SSL
!
acl "Panzer-SSL"
permit ip any any
virtual-template 1
aaa authentication list SSL-VPN
gateway Panzer-Gateway
!
ssl authenticate verify all
inservice
!
policy group Panzer-SSL
acl "Panzer-SSL"
functions svc-enabled
svc address-pool "SSL-VPN" netmask 255.255.255.0
svc dns-server primary 8.8.8.8
default-group-policy Panzer-SSL


Thanks
Samy

Highlighted
Hall of Fame Master

Re: Anyconnect Split tunneling Config on IOS

You need a NAT rule for the VPN clients to be assigned a public IP address for their Internet-bound traffic.

Beginner

Re: Anyconnect Split tunneling Config on IOS


@Marvin Rhoads wrote:

You need a NAT rule for the VPN clients to be assigned a public IP address for their Internet-bound traffic.


Thanks Marvin,

 

I have carved out for example 10.0.0.100-110 for VPN client , 10.0.0.0/24 is the local LAN range on the router which already has a NAT rule.

 

My assumption is router will treat anyconnect client same as locally connected 10.0.0.x/24 while same subnet.

 

Should I create a separate subnet and separate NAT rule?

Cisco Employee

Re: Anyconnect Split tunneling Config on IOS

Hey,

 

You need and outside to outside nat rule.

 

nat (outside,outside) source dynamic vpn-pool interface

 

however make sure  its below the nat exempt statement on your ASA that is being used by your anyconnect clients to access the internal network.

 

 

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

Beginner

Re: Anyconnect Split tunneling Config on IOS


@shgrover wrote:

Hey,

 

You need and outside to outside nat rule.

 

nat (outside,outside) source dynamic vpn-pool interface

 

however make sure  its below the nat exempt statement on your ASA that is being used by your anyconnect clients to access the internal network.

 

 

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question


Hi Shikha,

 

Thanks but I'm doing it on 2921 router and not ASA.

Do I need specific NAT rule for IOS although Anyconnect IP falls under inside NATed IP?

 

I have attached the config to my original message as well if you need to check it.

 

 

Cheers

Samy

Hall of Fame Master

Re: Anyconnect Split tunneling Config on IOS

Your challenge is known as "hairpinning".

Please see this article which describes the challenge and provides a solution:

https://packetu.com/2012/06/26/nat-vpns-and-hairpinning-internet-traffic-in-ios/