Re: Anyconnect Split tunneling Config on IOS

ssg14 · ‎08-01-2019

Hi,

I have configured anyconnect on IOS and working perfectly fine , my policy is as below:

!

Policy group Panzer-SSL
functions svc-enabled
svc address-pool "SSL-VPN" netmask 255.255.255.0
svc split include 10.0.0.0 255.255.255.0
default-group-policy Panzer-SSL
!

My question is:

** How can i force client to push all traffic (including internet) through anyconnet , at the moment i have only managed to make it work it with Split tunneling and as soon as i remove "svc split include 10.0.0.0 255.255.255.0" it stops working.

Also tried to remove "functions svc-enabled"to stop split tunnelin , again client can't login.

Should I create an ACL?

Any thoughts?

Thanks
Samy

Philip D'Ath · ‎08-01-2019

That should work. Perhaps try the extreme:

svc split include 0.0.0.0 0.0.0.0

ssg14 · ‎08-01-2019

Thanks Philip for coming back,

I removed the svc split include 10.0.0.0 and instead added
svc split include 0.0.0.0 0.0.0.0
svc dns-server primary 8.8.8.8

The route received by my anyconnect client changed to 0.0.0.0 (as expected) but my machine can't hit anywhere outside of the local network :(

On the config for anyconnect I used virtual-template cloning int vlan1 IP (Int VLAN 1 is the actual gateway for connected devices to the router)

When i traceroute from anyconnect client after i changed the config , I hit int vlan1 as the first hop then get blackholed there. Am i missing anything?

Here is my config:

webvpn gateway Panzer-Gateway
ip interface Dialer0 port 443
ssl trustpoint SSL-VPN
inservice
!
webvpn context Panzer-SSL
!
acl "Panzer-SSL"
permit ip any any
virtual-template 1
aaa authentication list SSL-VPN
gateway Panzer-Gateway
!
ssl authenticate verify all
inservice
!
policy group Panzer-SSL
acl "Panzer-SSL"
functions svc-enabled
svc address-pool "SSL-VPN" netmask 255.255.255.0
svc dns-server primary 8.8.8.8
default-group-policy Panzer-SSL

Thanks
Samy

Marvin Rhoads · ‎08-02-2019

You need a NAT rule for the VPN clients to be assigned a public IP address for their Internet-bound traffic.

ssg14 · ‎08-04-2019

@Marvin Rhoads wrote:
You need a NAT rule for the VPN clients to be assigned a public IP address for their Internet-bound traffic.

Thanks Marvin,

I have carved out for example 10.0.0.100-110 for VPN client , 10.0.0.0/24 is the local LAN range on the router which already has a NAT rule.

My assumption is router will treat anyconnect client same as locally connected 10.0.0.x/24 while same subnet.

Should I create a separate subnet and separate NAT rule?

shgrover · ‎08-03-2019

Hey,

You need and outside to outside nat rule.

nat (outside,outside) source dynamic vpn-pool interface

however make sure its below the nat exempt statement on your ASA that is being used by your anyconnect clients to access the internal network.

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

ssg14 · ‎08-04-2019

@shgrover wrote:
Hey,

You need and outside to outside nat rule.

nat (outside,outside) source dynamic vpn-pool interface

however make sure its below the nat exempt statement on your ASA that is being used by your anyconnect clients to access the internal network.

Regards
Shikha Grover
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Shikha,

Thanks but I'm doing it on 2921 router and not ASA.

Do I need specific NAT rule for IOS although Anyconnect IP falls under inside NATed IP?

I have attached the config to my original message as well if you need to check it.

Cheers

Samy

Marvin Rhoads · ‎08-05-2019

Your challenge is known as "hairpinning".

Please see this article which describes the challenge and provides a solution:

https://packetu.com/2012/06/26/nat-vpns-and-hairpinning-internet-traffic-in-ios/