Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
1
Replies

AnyConnect VPN flexibility

Go to solution
James Nowotny
Level 1
Level 1

‎02-04-2015 06:12 AM - edited ‎02-21-2020 08:03 PM

I have setup an ASA-5515 with 9.1(2).  I have VPN setup with users using AnyConnect.  Everything is working well.  I now have a couple new requirements that I'm not sure how to setup or if they are even possible.

1)  Can I setup the VPN so a user can pick whether or not they are using split tunnel.  We have a couple of engineers that go to China and need to use the VPN so that in addition to the normal access, that can use the VPN for regular Internet access bypassing the China filters.  I think this mean I also have to setup a hairpin in the ASA.  But I only want this when needed.

2)  Can I setup the VPN so it will work from our Guest network which is also on the same ASA.

 

Thanks...Jim

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎02-05-2015 12:08 AM

Jim, 

 

My info might be off by some two years, but...

Ad1. Would require to setup a separate tunnel-group or assign different parameters via DAP/RADIUS/whatever, including a different IP address pool if you want to do hair pinning for some traffic. That's probably the "easiest" way. 

Ad2. Couple of challenges. Yes, you can enable anyconnect service on multiple interface, not only outside. Think about traffic flow though. Due to architectural choices of ASA (at least they were in place two years back) you will not be able to communicate  _with_ ASA on a different interface than you're on right now,  with the exception of managment-access. So you'd need to enable the anyconnect service on the interface facing guest network. This move also comes with a DNS challenge, when called from guest network for DNS A record of myasa.mycompany.tld , you should return the guest network IP. 

 

Hope that makes sense :]

M.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎02-05-2015 12:08 AM

Jim, 

 

My info might be off by some two years, but...

Ad1. Would require to setup a separate tunnel-group or assign different parameters via DAP/RADIUS/whatever, including a different IP address pool if you want to do hair pinning for some traffic. That's probably the "easiest" way. 

Ad2. Couple of challenges. Yes, you can enable anyconnect service on multiple interface, not only outside. Think about traffic flow though. Due to architectural choices of ASA (at least they were in place two years back) you will not be able to communicate  _with_ ASA on a different interface than you're on right now,  with the exception of managment-access. So you'd need to enable the anyconnect service on the interface facing guest network. This move also comes with a DNS challenge, when called from guest network for DNS A record of myasa.mycompany.tld , you should return the guest network IP. 

 

Hope that makes sense :]

M.

0 Helpful
Customers Also Viewed These Support Documents