Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1228
Views
0
Helpful
3
Replies

AnyConnect VPN and Split Tunnel

tcmckay
Level 1
Level 1

‎12-04-2019 06:03 AM - edited ‎02-21-2020 09:48 PM

I use split tunneling with my AnyConnect VPN clients. The solution works for almost everything we do, however, we recently came across a situation where we would like 1 external link to not be split off. Here is the situation:

We have a proxy server that has a public IP. This proxy must use the public IP for the services that are behind it and the access that our clients need. On the proxy we allow only specified IP ranges through to the back-end servers. We now are seeing more of our employees working offsight and they need access to the back-end servers. The issue is that internal DNS redirects to the external IP which causes the AnyConnect clients to route the request out their non-vpn link. Since we only allow specific ranges of IP addresses through the proxy we as seeing off-site employees blocked from the back-end servers.

 

The question:

Is there a way with the split tunnel to allow an AnyConnect client to not split traffic that is sent to a specific IP? For example if the internal DNS record points the user to the external IP of 69.x.x.x that traffic will stay within the VPN connection and not go out through the hosts internet connect.

 

I hope that is clear.

Labels:
0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎12-04-2019 08:44 AM

In your client config group policy you should be able to configure an exclusion list OR a list to specify networks to tunnel. The config setting can be found using ASDM under Group Policy->Advanced->Split Tunneling. Not sure if that directly answers your question, but hopefully it helps. Good luck!
0 Helpful

Karsten Iwen
VIP
VIP

‎12-04-2019 09:02 AM

Split-tunneling is controlled with an access-list that specifies which traffic to send through the VPN and which to send directly to the internet. This ACL is assigned to the group-policy that Mike already mentioned. Here you just enter the public proxy IP in addition to the internal networks that are probably already included in that access-list.

0 Helpful

tcmckay
Level 1
Level 1
In response to Karsten Iwen

‎12-04-2019 09:50 AM

This is what I thought as well and had added the public IP's for the proxy server to the ACL for the VPN clients. For some reason this does not keep the traffic internal. For all other traffic the split tunnel is working but when the internal dns record redirects to the external ip the traffic exits through the client internet. 

0 Helpful
Customers Also Viewed These Support Documents