Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6912
Views
5
Helpful
3
Replies

AnyConnect split tunnelling with FQDNs possible?

Andrew White
Level 2
Level 2

‎03-12-2019 09:45 AM

Hi,

 

We use the split tunnel feature on our Corporate AnyConnect VPN. Users get to servers over the VPN and internet access is pushed out to their local internet apart from certain websites.

 

We have a hosted website in AWS that is locked down to the public IP address of our ASA public outside IP (same IP the AnyConnect uses) so when you connect to the VPN you can’t access it as the traffic is pushed out via their local Internet and as the public IP is not on the AWS allowed list it gets blocked.  So what I have done is grab the FQDN and ran an nslookup against it which gave me many IPs that I added to the split tunnel policy and now users can access the site as it’s pushed over the VPN and back out to the internet using the ASAs public IP which is on the allowed AWS access list.

 

The problem I have is AWS does change its public IPs behind our FQDN and when they do users can’t connect to the website, so I have to keep adding the new IP addresses.  I’ve started using class C subnets which helps, to my surprise class B subnets didn’t work.

 

Anyway is there a way to get FQDNs working over the split tunnel so I don’t have  to bother doing these FQDN lookups manually and amended the ACL assigned to the split tunnel?

 

thanks

Labels:
0 Helpful
3 Replies 3

bern81
Level 1
Level 1

‎03-14-2019 06:23 AM - edited ‎03-14-2019 06:24 AM

Hi ,

 

I know this exist to create Firewall ACL rules using FQDN instead of IPs configured in network objects.

 

Never tried it in ACLs used for split tunneling.

 

check this link, please try it and share the result.

 

https://community.cisco.com/t5/security-documents/using-hostnames-dns-in-access-lists-configuration-steps-caveats/ta-p/3123480

 

Please rate if helpful by clicking on the star below

@Andrew White wrote:

Hi,

 

We use the split tunnel feature on our Corporate AnyConnect VPN. Users get to servers over the VPN and internet access is pushed out to their local internet apart from certain websites.

 

We have a hosted website in AWS that is locked down to the public IP address of our ASA public outside IP (same IP the AnyConnect uses) so when you connect to the VPN you can’t access it as the traffic is pushed out via their local Internet and as the public IP is not on the AWS allowed list it gets blocked.  So what I have done is grab the FQDN and ran an nslookup against it which gave me many IPs that I added to the split tunnel policy and now users can access the site as it’s pushed over the VPN and back out to the internet using the ASAs public IP which is on the allowed AWS access list.

 

The problem I have is AWS does change its public IPs behind our FQDN and when they do users can’t connect to the website, so I have to keep adding the new IP addresses.  I’ve started using class C subnets which helps, to my surprise class B subnets didn’t work.

 

Anyway is there a way to get FQDNs working over the split tunnel so I don’t have  to bother doing these FQDN lookups manually and amended the ACL assigned to the split tunnel?

 

thanks

@Andrew White wrote:

Hi,

 

We use the split tunnel feature on our Corporate AnyConnect VPN. Users get to servers over the VPN and internet access is pushed out to their local internet apart from certain websites.

 

We have a hosted website in AWS that is locked down to the public IP address of our ASA public outside IP (same IP the AnyConnect uses) so when you connect to the VPN you can’t access it as the traffic is pushed out via their local Internet and as the public IP is not on the AWS allowed list it gets blocked.  So what I have done is grab the FQDN and ran an nslookup against it which gave me many IPs that I added to the split tunnel policy and now users can access the site as it’s pushed over the VPN and back out to the internet using the ASAs public IP which is on the allowed AWS access list.

 

The problem I have is AWS does change its public IPs behind our FQDN and when they do users can’t connect to the website, so I have to keep adding the new IP addresses.  I’ve started using class C subnets which helps, to my surprise class B subnets didn’t work.

 

Anyway is there a way to get FQDNs working over the split tunnel so I don’t have  to bother doing these FQDN lookups manually and amended the ACL assigned to the split tunnel?

 

thanks

 

0 Helpful

BOG
Level 1
Level 1

‎03-25-2020 10:48 AM

yes, you can use attribute for Split Tunneling

 

example:

 

ASA(config)# webvpn

ASA(config-webvpn)# anyconnect-custom-attr dynamic-split-exclude-domains description dynamic-split-exclude-domains

ASA(config)# anyconnect-custom-data dynamic-split-exclude-domains SKYPE skype.com, lync.com,

ASA(config)# group-policy ASHES-VPN attributes

ASA(config-group-policy)# anyconnect-custom dynamic-split-exclude-domains value CLOUD-SERVICES

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents