Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
5
Helpful
2
Replies

Anyconnect pkg's and all traffic through tunnel

John Kellen
Level 1
Level 1

‎03-14-2013 05:53 PM - edited ‎02-21-2020 06:45 PM

Hello,

I have two questions where i cannot find the answer to :/

I configured a working anyconnect vpn on a c892fsp router, using windows webdeployment pkg

I would like to add the linux and mac pkg too, so those users get it installed when connected to the portal

The command svc image imagename order# does not seem to work in IOS (I indeed found that in an ASA tutorial)

Any idea' how to add the mac and linux package to the portal? (where the windows package is already in place)

Secondly, I'd like to force ALL traffic from vpn client through the tunnel. Any idea's on how to change the config below to add a gateway and dns server to the client vpn nic?

webvpn gateway Cisco-WebVPN-Gateway

ip address *.*.*.* port 443

ssl encryption rc4-md5

ssl trustpoint vpn

inservice

!

webvpn context Cisco-WebVPN

title "MINF/ICTJ WebVPN - Cisco"

!

acl "ssl-acl"

   permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0

login-message "Enter MINF/ICTJ credentials"

aaa authentication list sslvpn

gateway Cisco-WebVPN-Gateway

!

ssl authenticate verify all

!

url-list "rewrite"

inservice

!

policy group webvpnpolicy

   functions svc-enabled

   filter tunnel ssl-acl

   svc address-pool "webvpn-pool" netmask 255.255.255.0

   svc rekey method new-tunnel

   svc split include 10.0.0.0 255.255.255.0

default-group-policy webvpnpolicy

!

thank you

Labels:
0 Helpful
2 Replies 2

hellenwu1025
Level 1
Level 1

‎03-14-2013 07:01 PM

I only does the remote access VPN on ASA. But I guess if you want all traffic to go thru the tunnel take off the splittunnel from your group policy. Split tunnel is used to specify which type of traffic should go thru tunnel and anything not included in the split tunnel will not go to the tunnel. Hope that helps.

Jennifer Halim
Cisco Employee
Cisco Employee
In response to hellenwu1025

‎03-14-2013 08:42 PM

Yes, you can have multiple AnyConnect package on IOS router as well. Assuming that you are running version 12.4(20)T or higher.

Here is the command:

crypto vpn anyconnect sequence

Config guide for your reference:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-ssl-vpn.html#GUID-535511B0-3794-4511-AC28-E1C0EB455282

To change it to no split tunnel, ie: pushing everything down the tunnel, you can remove the following:

svc split include 10.0.0.0 255.255.255.0

To add dns server information, it's under the following:

policy group webvpnpolicy

    svc default-domain 
    svc dns-server primary 
    svc dns-server secondary 

Here is the config guide for your reference:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-ssl-vpn.html#GUID-713F29A7-18B1-45D8-8D0A-10EF27882243

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents