Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1260
Views
0
Helpful
4
Replies

Cisco Anyconnect : Split tunnel issues

Andrew Battersby
Level 1
Level 1

‎05-24-2013 07:41 AM - edited ‎02-21-2020 06:55 PM

Hi,

I've got a Cisco 1941 setup working fine for Cisco Anyconnect. Clients can connect to local resources fine. The issue I have is I need the remote clients to access a third party IP address but to do so they must do it through the VPN.

At the moment only local resources are accessed across the vpn and if they need internet they use their own internet connection they are connecting with.

I've added the below to make sure traffic going to the IP is going across the VPN:

svc split include 8.8.8.8 255.255.255.255

And indeed it does start to route it across the VPN if they try to go to 8.8.8.8 but it doesn't go any further. It doesn't look like the router is NATTING this out. I've added the VPN pool to my NAT access-list but still no go.

Any suggestions much appreciated.

Thanks

Andrew

Labels:
0 Helpful
4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-24-2013 05:48 PM

Hello Andrew,

Can you provide the configuration so we can correlate what you are saying,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Andrew Battersby
Level 1
Level 1
In response to Julio Carvajal

‎05-25-2013 07:15 AM

Thanks. I've attached the router config. I've changed the IP's for privacy sakes but otherwise it's as it is on the router.

So for anyone connecting remotely to this router via Cisco Anyconnect I want them to use the VPN to get to the internet IP 8.8.8.8

Thanks Again

15360770-Ciscoanyconnectrouter.txt.zip
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Andrew Battersby

‎05-25-2013 02:39 PM

Hello Andrew,

What it seems to me to be the issue is that you do not have any nat statement for the traffic from the SVC client to 8.8.8.8.

Let's give it a try like this

interface loop 17

ip add 192.168.115.1 255.255.255.0

ip nat inside

ip access-list extended SVC_NAT

permit ip SVC_POOL host 8.8.8.8

deny ip any any

route-map test

match ip address SVC_NAT

set ip next-hop 192.168.115.1

interface giga 0/0

ip policy-map test

I really hope this helps u

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Andrew Battersby
Level 1
Level 1
In response to Julio Carvajal

‎05-30-2013 06:29 AM

Thanks for the help.

Unfortunately it didn't work in this case. I've applied your suggested configuration but the same issue applies.

I even tried applying the "ip nat inside" to the virtual interface as suggested on other Cisco documentation but this also didn't seem to work.

I think what I want to do is reffered to as "Hairpin". I thought it would be a common requirement but I haven't had much luck finding solutions for IOS routers.

thanks again

0 Helpful
Customers Also Viewed These Support Documents