cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7432
Views
5
Helpful
9
Replies

Anyconnect Dynamic Split Include Tunneling

GoncaloContente
Level 1
Level 1

Hi,

When configuring split tunnel on the ASA an ACL must be configured to filter which subnets will be allowed over the VPN tunnel, this is ok when internal networks are RFC 1918 compliant, however in some cases i have seen companies using public ip addressing internally that is not owned by the company, this causes IP overlapping when deploying split tunnel VPNs.

In order to overcome this issues, there is a feature called Dynamic Split Include Tunneling which is configured as a Anyconnect custom attribute and uses FQDN instead of IP when filtering the traffic that goes over the VPN.

I am wondering if split tunnel can be configured using only anyconnect custom attributes or if IP subnetworks still need to be defined on the split tunnel section in group policies?

TIA

9 Replies 9

I dig into to this but could not find an answer what you looking for but find this link might help you out https://woland.com/2020/03/30/dynamic-split-tunneling-a-covid-19-best-practice/

please do not forget to rate.

zinedinzidane
Level 1
Level 1

Bonjour,

 

Je suis dans le même cas. Je n'arrive pas à mettre en place le Dynamic Split incluse via l'ASDM via l'ASA. Malgré avoir rajouté les attributs names dans la group policy et de rajouter une ACL standard, il est indiqué NONE dans la partie statisic Annyconnect pour Dynamic Split inclusion 

Aucun problème par contre pour le Dynamic Split excude. Cela fonctionne.

 

Quelqu'un peut il m'aider svp je m'attache les cheveux !!!

 

Merci encore

Hello,

 

I am in the same situation. I am unable to set up the included Dynamic Split via ASDM via ASA. Despite having added the names attributes in the group policy and adding a standard ACL, it is indicated NONE in the statistics part Annyconnect for Dynamic Split inclusion

No problem on the other hand for the Dynamic Split excude. It works.

 

Can someone help me please

 

thanks again

GoncaloContente
Level 1
Level 1

Hi all,

 

After much digging around,and to answer the original Post Dynamic split tunnel Include requires at least 1 IP network or host to be configured under the Group Policy > split tunneling section.

There is a very helpful guide here, written in detail, which i think it can help many of you 

https://community.cisco.com/t5/security-documents/anyconnect-split-tunneling-local-lan-access-split-tunneling/ta-p/4050866#toc-hId-2104773214 

 

Happy VPN Tunneling

Hi,

 

Thanks but it's don't work for me by follow your procedure for dynamic split include by group policies:(  but why in this procedure, he do exclude on attribution name in group policies , it'is a mistake no ?

 

Dynamic tunnel inclusion display "none" on statistic

 

ASA: 9.8(4)

ASDM Version 7.12(2)

Devyce type: Firepower 2110

Annyconnect : 4.9.04043

 

Can you help me please , i browse my file on attach

many thanks

 

Salut Zidane

From your attachment i assume that your are missing some configuration for the dynamic split include tunnel to work properly, you do not have specified the internal domains that should go over the tunnel. 

To specify the domains go to:

 Captura111.PNG

Once in this section click on the ADD button and in the type field select the IncludeAzure attribute you have created previously.

Captura1111.PNG

then click on the Add button to add the domains you which to split include. Once all this configuration is done you can attach it to the group policy like you did.

All this configuration can be done through the CLI as well and in my opinion is actually simpler.

ASA(config)#webvpn
ASA(config-webvpn)#anyconnect-custom-attr IncludeAzure description tunnel-traffic-to-Azure 

ASA(config-webvpn)#exit

ASA(config)#anyconnect-custom-data IncludeAzure azure-domains azure.micro.com,azure.soft.com [the domains must be separated by a comma or space not sure now]

ASA(config)# group-policy [your-group-policy] attributes

ASA(config-group-policy)# anyconnect-custom dynamic-split-include-domains value azure-domains

 

If you still need help, please post your cli conf related to the split tunnel include.

Good Luck

 

 

Hi,

 

It's don't working

 

I have 

anyconnect-custom-attr IncludeAzure description Dynamic_Include

anyconnect-custom-data IncludeAzure Include domain.fr

 

 group-lock value TEST

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value IP_TEST

 default-domain value domain.com

 split-tunnel-all-dns disable

 anyconnect-custom IncludeAzure value Include

 webvpn

  html-content-filter none

  anyconnect ask none default webvpn

 

 

Hi Zidane,

 

I am not sure, i think the anyconnect-custom-attr must be dynamic-split-include-domains instead of IncludeAzure, this is what is described in the official doc and it was the attribute type i used in my setup. Try and change the attribute type according to the official doc. You can find more information in the following URL:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/asdm713/vpn/asdm-713-vpn-config/vpn-asdm-setup.html#task_i2g_234_sbb 

 

HTH

 

Hello,

 

Sorry for the late but it is working !! 

 

Thank you very mutch  GoncaloReis.

 

Have a good day

 

Zidany