Anyconnect Split Tunnel based on IP AND Port

gaigl · ‎06-24-2025

Hello together,

a question about Split-Tunnel: can I use for Split Tunnel an ACL, where IP-Adresses AND special Ports are defined?

Background Information: we struggeling with Traffic for MS Teams, M365 etc.

Based on this List: https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide we would define ID 11 (the 2 Networks, udp 3478-3481) for Split-Tunnel.

When I define this, in the Anyconnect Client I see under Routing Details no Ports, so I think the Ports are not respected, and some Functions in Teams are not working.

Or alternative: do you have some experience with Anyconnect and the MS365 Theme?

Rob Ingram · ‎06-24-2025

@gaigl use Dynamic split tunneling and exclude the MS teams DNS domain names from tunneling.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215383-asa-anyconnect-dynamic-split-tunneling.html

https://community.cisco.com/t5/vpn/split-tunnel-webex-outlook365-zoom/td-p/4049533

https://community.cisco.com/t5/security-knowledge-base/anyconnect-split-tunneling-local-lan-access-split-tunneling/ta-p/4050866

gaigl · ‎06-24-2025

Hello Rob,

thank you for the Links, some things I already had in mind. We already use dynamic split exclude, and for the ACL for Split-Tunnel I saw the crucial word: "Standart-ACL", so no Ports.

I'll walk through the Links, will take some Time

MHM Cisco World · ‎06-25-2025

The ACL use for split tunnel is not real ACL' actually it is route inject to anyconnect host' and as you know route dont use l4 port.

There is doc. I will search and share here about your case

MHM

MHM Cisco World · ‎06-25-2025

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215343-optimize-anyconnect-split-tunnel-for-off.html

Check this

MHM

gaigl · ‎06-25-2025

I already know this doc, but honestly: I've got no idea, how to implement this.

Marvin Rhoads · ‎06-25-2025

Are you trying to include or exclude the Microsoft services in your VPN tunnel? Either way, we typically just cover the network ranges - that's what split tunnel (include or exclude) covers.

If you want to include the Microsoft addresses AND restrict the ports then it's a more complex setup which I can go into if that's the case.

gaigl · ‎06-25-2025

Hi Marvin, one request from another department is, to send all web-based Services in the Tunnel (but bypass the webproxy) and communication traffic not in the Tunnel, but I guess this is not possible.

So I try to follow the MS Doc above, to split adresses under category "optimize" and "allow"