Allow a users to access one IP when splittunneling via anyconnect

PacketSpartan · ‎09-27-2023

We have Anyconnect setup with Split tunneling, we send all RFC1918 addresses to the headend to ensure user is not able to access any local resources. (to black hole the traffic)

We need to setup anyconnect in a way where we can allow access to one local ip within the local user's subnet. We've tried denying a /32 ip on the split tunnel ACL but has not worked. We have allowed 192.16.0.0/16 and denied 192.168.0.15 (at top of the list), since we have /16 we're not able to deny 192.168.0.15. However when we remove the /16 the /32 ip appears in the anyconnect route section.

Has anyone achieved achied this, We'd like to send all traffic to the headend except for 1 ip (printer) without allowing access to the whole subnet

CCNA R&S

MHM Cisco World · ‎09-27-2023

Config split allow subnet

Then config vpn-filter deny this specific host

PacketSpartan · ‎09-27-2023

We denied the /32 and put it at the top fo the ACL, but it didnt work.

CCNA R&S

MHM Cisco World · ‎09-27-2023

You denied host IP in split acl you need to denied host IP in VPN-filter acl.

PacketSpartan · ‎09-28-2023

This also doesnt work, (just tested it)

CCNA R&S

MHM Cisco World · ‎09-28-2023

Share last config you usr

PacketSpartan · ‎10-11-2023

Apologies for the delay, we decided to split up the 192.168.0.0/16 into 192.168.0.1-192.168.0.255 as individual entries and 192.168.1.0-192.168.255.0 as individual entries. with one of the ip as a deny (this will provide local access)

CCNA R&S

Deo_Heo · ‎09-28-2023

You can use IP ranges instead of an IP network in the Split ACL.

Maybe this will help.