Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2333
Views
0
Helpful
2
Replies

Anyconnect split tunneling based on DNS

Cristian Nilsson
Level 1
Level 1

‎07-27-2016 03:02 AM - edited ‎02-21-2020 08:54 PM

Hello,

I am trying to figure out a way to force certain DNS names and traffic related to that "flow" trough VPN but im not sure if im doing it right - or if its even possible.

Config:

access-list VPN-SPLIT-TUNNEL standard permit 192.168.50.0 255.255.255.0
access-list VPN-SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.224

nat (OUTSIDE,INSIDE) source dynamic VPN-POOL interface destination static VPN-PAT-NETWORK INSIDE-LAN-NETWORK
nat (OUTSIDE,OUTSIDE) source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
nat (OUTSIDE,OUTSIDE) source dynamic VPN-POOL interface

object network VPN-POOL
subnet 10.0.0.0 255.255.255.224
description VPN-POOL

object network VPN-PAT-NETWORK
subnet 192.168.50.0 255.255.255.0

object network INSIDE-LAN-NETWORK
subnet 192.168.0.0 255.255.255.0

webvpn
enable INSIDE
enable OUTSIDE
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
anyconnect enable
tunnel-group-list enable

group-policy HEMMA-VPN-POLICY internal
group-policy HEMMA-VPN-POLICY attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLIT-TUNNEL
default-domain value cristiannilsson.se
split-dns value www.google.se
address-pools value VPN-POOL
webvpn
anyconnect keep-installer installed
anyconnect ask none default anyconnect

Now if i remove the NAT statement 

nat (OUTSIDE,OUTSIDE) source dynamic VPN-POOL interface

Connection to www.google.se dies when using VPN, related or not i cant say.

I hope i wrote in a way that anyone can understand :)

Regards,

Cristian

Labels:
0 Helpful
2 Replies 2

Cristian Nilsson
Level 1
Level 1

‎08-02-2016 05:01 AM

I think i have a way of doing this with access-list matching fqdn object.

Will update when tested.

0 Helpful

Cristian Nilsson
Level 1
Level 1
In response to Cristian Nilsson

‎08-02-2016 05:26 AM

This did not work, sadly:

object network FQDN-WWW.GOOGLE.SE
 fqdn www.google.se
Ben-Dover(config)# access-list VPN-SPLIT-TUNNEL extended permit ip object FQDN-WWW.GOOGLE.SE any
ERROR: Access-list contains user, user-group, security-group or FQDN objects. These are not supported in group policies.

If anyone have a work-around it would be much apreciated.

//Cristian

0 Helpful
Customers Also Viewed These Support Documents