Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
49377
Views
15
Helpful
6
Replies

AnyConnect: How to route ALL traffic through VPN

Go to solution
deesnood1
Level 1
Level 1

‎04-06-2015 07:29 AM - edited ‎02-21-2020 08:09 PM

In the past, when I would use a Windows built-in VPN (PPTP), I could choose whether everything would go through the VPN, or if only things that failed to resolved went through it. I would copy/paste the VPN connection and rename them so one was called something_all and the other something_std. I'd choose which one I needed and start that one.

Now I'm using Cisco AnyConnect Secure Mobility Client (on my Windows 7 machine), I don't seem to have that option. I seem to be locked into the mode where only URLs that fail to resolve find themselves going through the VPN. This works for private domains my employer has. It means I get access to the machines that aren't public-facing.

My problem is that sometimes I want everything to go through it. For example, if I'm in Europe and someone (in America) tells me that I need to visit a site and troubleshoot an issue, what I find is that despite typing in the American URL, I'm redirected to the european site, because it's a public site. I'd like to switch the VPN into the "route everything through it" mode, or even better, have a list that I manage of domains that I want to go through it (although the all-or-nothing is all I really need).

Is this possible? I've seen the option called something like 'allow local LAN access' but that doesn't seem to be anything useful.

The ultimate test is that if I go to one of those what-is-my-ip-address sites, it doesn't say I'm in Europe, but instead says I'm in America (or whereever the end point of the VPN is, I have several choices from my employer).

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to deesnood1

‎04-06-2015 02:02 PM

If instead of "tunnelspecified" we use the keyword "tunnelall" value with the "split-tunnel-policy", that will push the 0.0.0.0/0 route to your client's session.

So that's in effect the wildcard you're asking about.

View solution in original post

6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-06-2015 01:27 PM

It is pushed to the AnyConnect client from the ASA as an access-list that enforces the split-tunnel (or lack of split tunnel in the case of all traffic) policy. It's not something that you can change at the client level.

On the client it shows up as "Route Details" under the VPN tab of the AnyConnect client details window.

Go to solution
deesnood1
Level 1
Level 1
In response to Marvin Rhoads

‎04-06-2015 01:37 PM

Thanks Marvin. I'm looking now at my Route Details and I see in the window "Non-secured Routes (IPv4)" with 0.0.0.0/0 and then below that "Secured Routes (IPv4)" with about 20-30 internal IP addresses (some 192.168's, and some 10.10's).

I understand that there's nothing I can do at the client level, that's a shame.

So when I make a request to the IT department, what I'm really hoping is that they copy/paste the connection (or make a new one) that somehow has something like 0.0.0.0/0 in the "Secured Routes (IPv4)" section, or *.*.*.*/* so that it can all go through. I'd only use this secondary one if I really need it. Naturally I prefer most stuff (youtube for example) to not go through the VPN, but if I were troubleshooting something on youtube, then I'd need it to.

Gonna see if I can get my message through the various support tiers to the people who make the connection profiles but I'm not hopeful. Last time I tried, with a fairly vague question I admit, I just got back the response "you can't do that" and the ticket was immediately closed. Here's hoping.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to deesnood1

‎04-06-2015 01:46 PM

You're welcome. One the ASA it looks something like:

group-policy <group-policy name> attributes
<snip>
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value <access-list number or name>

The contents of the specified access-list are what ends up in your local client's VPN routing table.

Please rate if the answers helped. Cheers.

Go to solution
deesnood1
Level 1
Level 1
In response to Marvin Rhoads

‎04-06-2015 01:49 PM

One thing I'm not quite clear on. Are you saying that I can't have a wildcard, so everything goes through the tunnel? Do I have to specifically ask for the domain-name/IP's that I want to go through it (like it currently is, each one listed) ? If that's the case, then I won't ask, I don't know in advance which ones I'll need. That's why the wildcard example is what I'm looking for.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to deesnood1

‎04-06-2015 02:02 PM

If instead of "tunnelspecified" we use the keyword "tunnelall" value with the "split-tunnel-policy", that will push the 0.0.0.0/0 route to your client's session.

So that's in effect the wildcard you're asking about.

Go to solution
deesnood1
Level 1
Level 1
In response to Marvin Rhoads

‎04-06-2015 02:05 PM

Rock and roll !!

I'll just point them to this thread :)

Much appreciated. Gave you all the ratings [and correct answer]. :)

0 Helpful
Customers Also Viewed These Support Documents