Re: Split tunnel for AnyConnect

KEN COUSINO JR. · ‎07-24-2019

We currently have AnyConnect configured and it's working fine. I need to add a new VPN connection for users and I need to force all traffic for this connection to go through the tunnel for security. I need to make sure I don't break the existing setup.

Any help would be appreciated.

Here is the portion of the config that matters for this.

ip local pool Cpool 10.60.254.3-10.60.254.252 mask 255.255.255.0
ip local pool Restrictpool 10.60.255.0-10.60.255.252 mask 255.255.255.0

object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0

object-group network Cnets
network-object 10.10.0.0 255.255.0.0
network-object 10.60.0.0 255.255.0.0

object-group network I_RestrictBlocks
network-object 10.90.30.0 255.255.255.0
network-object 10.90.31.0 255.255.255.0

object-group network I_RestrictAllows
network-object 10.10.0.0 255.255.0.0
network-object 10.60.0.0 255.255.0.0

access-list outside_access_in extended permit icmp any4 any4
access-list inside_access_out extended permit ip any4 any4

access-list nonat extended permit ip object-group Cnets object-group Cnets
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 object-group Cnets
access-list nonat extended permit ip 10.60.0.0 255.255.0.0 object-group Cnets
access-list nonat extended permit ip 10.90.0.0 255.255.0.0 object-group Cnets
access-list nonat extended permit ip object-group Cnets 10.10.0.0 255.255.0.0
access-list nonat extended permit ip object-group Cnets 10.60.0.0 255.255.0.0
access-list nonat extended permit ip object-group Cnets 10.90.0.0 255.255.0.0

access-list SPLIT_ACL extended permit ip 10.10.0.0 255.255.0.0 object-group Cnets
access-list SPLIT_ACL extended permit ip 10.60.0.0 255.255.0.0 object-group Cnets
access-list SPLIT_ACL extended permit ip 10.90.0.0 255.255.0.0 object-group Cnets
access-list SPLIT_ACL extended permit ip object-group Cnets 10.10.0.0 255.255.0.0
access-list SPLIT_ACL extended permit ip object-group Cnets 10.60.0.0 255.255.0.0
access-list SPLIT_ACL extended permit ip object-group Cnets 10.90.0.0 255.255.0.0

access-list I_Restrict extended deny ip 10.60.255.0 255.255.255.0 object-group I_RestrictBlocks
access-list I_Restrict extended permit ip 10.60.255.0 255.255.255.0 object-group I_RestrictAllows
access-list CA_Trip_NOSplit extended permit ip 10.60.254.0 255.255.255.0 any

nat (inside,outside) source static Cnets Cnets destination static Cnets Cnets

group-policy CAtrip internal
group-policy CAtrip attributes
wins-server none
dns-server value 10.10.30.2 10.10.30.1
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CA_Trip_NOSplit
default-domain value research.com
group-policy DfltGrpPolicy attributes
dns-server value 10.10.30.2 10.10.30.1
vpn-idle-timeout 120
vpn-session-timeout 600
vpn-session-timeout alert-interval 30
vpn-filter value SPLIT_ACL
vpn-tunnel-protocol ssl-client ssl-clientless
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_ACL
default-domain value research.com
split-dns value research.com
client-bypass-protocol enable
address-pools value Cpool

Francesco Molino · ‎07-24-2019

Hi

What do you mean by all traffic? Do you include all internet traffic as well?

If that's the case, just configure your group policy with a full tunnel instead of specifying an acl for split tunneling.

The command would be: split-tunnel-policy tunnelall

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Marvin Rhoads · ‎07-25-2019

@Francesco Molino we would also need to add a "nat (outside,outside)" rule if we go from split tunnel to no split tunnel so that addresses of the remote clients get NATted to a public IP address when they go out to the Internet.

Francesco Molino · ‎07-25-2019

@Marvin Rhoads Yes sure it will be needed.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

KEN COUSINO JR. · ‎07-25-2019

I have done as you suggested and the VPN traffic going to my internal networks is working well, but the internet bound traffic is not working now. Meaning when someone connects to the VPN they can't get to the internet. I think I am missing something but I am not sure what.

Here is what the config looks like now.

I can have a constant ping on the remote machine pinging an internal IP and 8.8.8.8. When it connects to the VPN the internal IP starts replying and the 8.8.8.8 stops replying.

Thanks for your help!

ip local pool CATrip 10.65.254.1-10.65.254.253 mask 255.255.255.0
ip local pool Restrictpool 10.60.255.0-10.60.255.252 mask 255.255.255.0

object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-10.65.254.0-vpn
subnet 10.65.254.0 255.255.255.0

object-group network Cnets
network-object 10.10.0.0 255.255.0.0
network-object 10.60.0.0 255.255.0.0
network-object 10.65.0.0 255.255.0.0

object-group network I_RestrictBlocks
network-object 10.90.30.0 255.255.255.0
network-object 10.90.31.0 255.255.255.0

object-group network I_RestrictAllows
network-object 10.10.0.0 255.255.0.0
network-object 10.60.0.0 255.255.0.0

access-list outside_access_in extended permit icmp any4 any4
access-list inside_access_out extended permit ip any4 any4

access-list nonat extended permit ip object-group Cnets object-group Cnets
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 object-group Cnets
access-list nonat extended permit ip 10.60.0.0 255.255.0.0 object-group Cnets
access-list nonat extended permit ip 10.65.0.0 255.255.0.0 object-group Cnets
access-list nonat extended permit ip 10.90.0.0 255.255.0.0 object-group Cnets
access-list nonat extended permit ip object-group Cnets 10.10.0.0 255.255.0.0
access-list nonat extended permit ip object-group Cnets 10.60.0.0 255.255.0.0
access-list nonat extended permit ip object-group Cnets 10.65.0.0 255.255.0.0
access-list nonat extended permit ip object-group Cnets 10.90.0.0 255.255.0.0

access-list SPLIT_ACL extended permit ip 10.10.0.0 255.255.0.0 object-group Cnets
access-list SPLIT_ACL extended permit ip 10.60.0.0 255.255.0.0 object-group Cnets
access-list SPLIT_ACL extended permit ip 10.65.0.0 255.255.0.0 object-group Cnets
access-list SPLIT_ACL extended permit ip 10.90.0.0 255.255.0.0 object-group Cnets

access-list SPLIT_ACL extended permit ip object-group Cnets 10.10.0.0 255.255.0.0
access-list SPLIT_ACL extended permit ip object-group Cnets 10.60.0.0 255.255.0.0
access-list SPLIT_ACL extended permit ip object-group Cnets 10.65.0.0 255.255.0.0
access-list SPLIT_ACL extended permit ip object-group Cnets 10.90.0.0 255.255.0.0

access-list I_Restrict extended deny ip 10.60.255.0 255.255.255.0 object-group I_RestrictBlocks
access-list I_Restrict extended permit ip 10.60.255.0 255.255.255.0 object-group I_RestrictAllows

nat (inside,outside) source static Cnets Cnets destination static Cnets Cnets
nat (outside,inside) source static obj-10.65.254.0-vpn obj-10.65.254.0-vpn
nat (outside,outside) source dynamic obj-10.65.254.0-vpn interface

group-policy CAtrip internal
group-policy CAtrip attributes
wins-server none
dns-server value 10.10.30.2 10.10.30.1
vpn-tunnel-protocol ikev2 ssl-client
address-pools value CATrip
split-tunnel-policy tunnelall
default-domain value research.com
group-policy DfltGrpPolicy attributes
dns-server value 10.10.30.2 10.10.30.1
vpn-idle-timeout 120
vpn-session-timeout 600
vpn-session-timeout alert-interval 30
vpn-filter value SPLIT_ACL
vpn-tunnel-protocol ssl-client ssl-clientless
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_ACL
default-domain value research.com
split-dns value research.com
client-bypass-protocol enable
address-pools value Cpool