Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2853
Views
4
Helpful
1
Replies

AnyConnect VPN - VM needs to call a host on the tunnel

Go to solution
thomas gilmore
Level 1
Level 1

‎01-27-2017 07:02 AM - edited ‎02-21-2020 09:08 PM

One of my users is running a script from his bare metal host that makes a call to a VM server running on his laptop.

The VM needs to make a TCP call to a server on the other side of the VPN tunnel.


The user has an IP Address of 192.168.1.x on the bare metal (Apple IOS).

The VM running on his laptop has an IP address of 192.168.155.x
He wants his VM to connect to a server on the other side of the VPN tunnel.. the remote host has an IP Address of 10.10.1.x

If he is not connected to VM,, this (metal-2-VM-2-RemoteServer) connection works,, but when connected with Anyconnect VPN,, his laptop believes that 192.168.155.x exists on the tunnel, hence the host cannot communicate with the VM.


He is asking if there are any tweaks we can make to the AnyConnect client so that metal-2-VM-2-Remote server works.

Please see pics attached of "IP Route table not connected to VPN" and "IP Route table when connected to VPN"

Labels:
Preview file
213 KB
Preview file
286 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎01-27-2017 12:33 PM

What split tunnel routes are you pushing to the user through Anyconnect? Looks like you are pushing the 192.168/16 route via the tunnel which may be why this is adding the route for utun0.

One option you can try is that exclude the 192.168.155.x from the split tunnel list. But this is a change that needs that to be done on the group-policy (and applies it to all users using that group-policy). If you are running ASA 9.1(4) or later and Anyconnect 3.1.3013 or later, you can add a deny statement above the permit ACL's for split tunnels.

View solution in original post

1 Reply 1

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎01-27-2017 12:33 PM

What split tunnel routes are you pushing to the user through Anyconnect? Looks like you are pushing the 192.168/16 route via the tunnel which may be why this is adding the route for utun0.

One option you can try is that exclude the 192.168.155.x from the split tunnel list. But this is a change that needs that to be done on the group-policy (and applies it to all users using that group-policy). If you are running ASA 9.1(4) or later and Anyconnect 3.1.3013 or later, you can add a deny statement above the permit ACL's for split tunnels.

Customers Also Viewed These Support Documents