Re: Cisco Anyconnect VPN split tunnel

tinhnho123 · ‎10-23-2020

Hi Guys,

I currently have Cisco Anyconnect with Split tunneling. Everything seems to be working fine.

Is there a way to force clients when they try to connect to an IP address 52.244.160.207 and his/her traffic would go back to the tunnel and exist out from the company internet instead of go thru their home internet provider? We also don't want create full tunnel either.

Thanks.

Rob Ingram · ‎10-23-2020

Hi @tinhnho123

Yes, you will need to include that IP address in the split tunnel ACL.

You will also need to configure the command same-security-traffic permit intra-interface and also define a NAT rule for the RAVPN users. E.g.

object network RAVPN_USERS
 subnet 10.4.4.0 255.255.255.0
 nat (outside,outside) dynamic interface

HTH

tinhnho123 · ‎10-23-2020

Hi Rob,

Would it be the same if I have FMC and FTD for Anyconnect VPN?

Rob Ingram · ‎10-23-2020

Well you don't need the command same-security-traffic permit intra-interface on FTD, it's configured as standard unlike ASA. Everything else I mentioned above is required.

tinhnho123 · ‎10-26-2020

Hi Rob,

I've tried it on the FMC and it doesn't do it. Sorry, I'm new to FMC/FTD.

Aref Alsouqi · ‎10-29-2020

If you added the IP address 52.244.160.207 to the split tunnel ACL, and the NAT rule as @Rob Ingram suggested, and that still does not work, then I might suspect it might have something to do with the access control policy that maybe is denying that traffic?. Did you enable the Bypass Access Control policy for AnyConnect traffic? or you have it disabled?, if you have it disabled, then I think you need to add a rule on the security policy to allow the AnyConnect pool to reach the IP address 52.244.160.207. In that case, the source and destination interfaces would be outside.

vsurresh · ‎10-29-2020

Just to double-check, have you added the IP into the split-tunnel allowed list? If yes, can you see the traffic to 52.244.160.207 from the VPN is hitting the FTD?