09-27-2023 04:29 AM
We have Anyconnect setup with Split tunneling, we send all RFC1918 addresses to the headend to ensure user is not able to access any local resources. (to black hole the traffic)
We need to setup anyconnect in a way where we can allow access to one local ip within the local user's subnet. We've tried denying a /32 ip on the split tunnel ACL but has not worked. We have allowed 192.16.0.0/16 and denied 192.168.0.15 (at top of the list), since we have /16 we're not able to deny 192.168.0.15. However when we remove the /16 the /32 ip appears in the anyconnect route section.
Has anyone achieved achied this, We'd like to send all traffic to the headend except for 1 ip (printer) without allowing access to the whole subnet
09-27-2023 04:31 AM
Config split allow subnet
Then config vpn-filter deny this specific host
09-27-2023 04:35 AM
We denied the /32 and put it at the top fo the ACL, but it didnt work.
09-27-2023 04:36 AM
You denied host IP in split acl you need to denied host IP in VPN-filter acl.
09-28-2023 01:58 AM
This also doesnt work, (just tested it)
09-28-2023 02:43 AM
Share last config you usr
10-11-2023 04:04 PM - edited 10-11-2023 04:05 PM
Apologies for the delay, we decided to split up the 192.168.0.0/16 into 192.168.0.1-192.168.0.255 as individual entries and 192.168.1.0-192.168.255.0 as individual entries. with one of the ip as a deny (this will provide local access)
09-28-2023 02:23 AM
You can use IP ranges instead of an IP network in the Split ACL.
Maybe this will help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide