cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
371
Views
5
Helpful
2
Replies
Beginner

AnyConnect split tunnelling with FQDNs possible?

Hi,

 

We use the split tunnel feature on our Corporate AnyConnect VPN. Users get to servers over the VPN and internet access is pushed out to their local internet apart from certain websites.

 

We have a hosted website in AWS that is locked down to the public IP address of our ASA public outside IP (same IP the AnyConnect uses) so when you connect to the VPN you can’t access it as the traffic is pushed out via their local Internet and as the public IP is not on the AWS allowed list it gets blocked.  So what I have done is grab the FQDN and ran an nslookup against it which gave me many IPs that I added to the split tunnel policy and now users can access the site as it’s pushed over the VPN and back out to the internet using the ASAs public IP which is on the allowed AWS access list.

 

The problem I have is AWS does change its public IPs behind our FQDN and when they do users can’t connect to the website, so I have to keep adding the new IP addresses.  I’ve started using class C subnets which helps, to my surprise class B subnets didn’t work.

 

Anyway is there a way to get FQDNs working over the split tunnel so I don’t have  to bother doing these FQDN lookups manually and amended the ACL assigned to the split tunnel?

 

thanks

2 REPLIES 2
Beginner

Re: AnyConnect split tunnelling with FQDNs possible?

Hi ,

 

I know this exist to create Firewall ACL rules using FQDN instead of IPs configured in network objects.

 

Never tried it in ACLs used for split tunneling.

 

check this link, please try it and share the result.

 

https://community.cisco.com/t5/security-documents/using-hostnames-dns-in-access-lists-configuration-steps-caveats/ta-p/3123480

 

Please rate if helpful by clicking on the star below


@Andrew White wrote:

Hi,

 

We use the split tunnel feature on our Corporate AnyConnect VPN. Users get to servers over the VPN and internet access is pushed out to their local internet apart from certain websites.

 

We have a hosted website in AWS that is locked down to the public IP address of our ASA public outside IP (same IP the AnyConnect uses) so when you connect to the VPN you can’t access it as the traffic is pushed out via their local Internet and as the public IP is not on the AWS allowed list it gets blocked.  So what I have done is grab the FQDN and ran an nslookup against it which gave me many IPs that I added to the split tunnel policy and now users can access the site as it’s pushed over the VPN and back out to the internet using the ASAs public IP which is on the allowed AWS access list.

 

The problem I have is AWS does change its public IPs behind our FQDN and when they do users can’t connect to the website, so I have to keep adding the new IP addresses.  I’ve started using class C subnets which helps, to my surprise class B subnets didn’t work.

 

Anyway is there a way to get FQDNs working over the split tunnel so I don’t have  to bother doing these FQDN lookups manually and amended the ACL assigned to the split tunnel?

 

thanks



@Andrew White wrote:

Hi,

 

We use the split tunnel feature on our Corporate AnyConnect VPN. Users get to servers over the VPN and internet access is pushed out to their local internet apart from certain websites.

 

We have a hosted website in AWS that is locked down to the public IP address of our ASA public outside IP (same IP the AnyConnect uses) so when you connect to the VPN you can’t access it as the traffic is pushed out via their local Internet and as the public IP is not on the AWS allowed list it gets blocked.  So what I have done is grab the FQDN and ran an nslookup against it which gave me many IPs that I added to the split tunnel policy and now users can access the site as it’s pushed over the VPN and back out to the internet using the ASAs public IP which is on the allowed AWS access list.

 

The problem I have is AWS does change its public IPs behind our FQDN and when they do users can’t connect to the website, so I have to keep adding the new IP addresses.  I’ve started using class C subnets which helps, to my surprise class B subnets didn’t work.

 

Anyway is there a way to get FQDNs working over the split tunnel so I don’t have  to bother doing these FQDN lookups manually and amended the ACL assigned to the split tunnel?

 

thanks


 

Highlighted
Contributor

Re: AnyConnect split tunnelling with FQDNs possible?