10-23-2020 09:54 AM
Hi Guys,
I currently have Cisco Anyconnect with Split tunneling. Everything seems to be working fine.
Is there a way to force clients when they try to connect to an IP address 52.244.160.207 and his/her traffic would go back to the tunnel and exist out from the company internet instead of go thru their home internet provider? We also don't want create full tunnel either.
Thanks.
10-23-2020 09:57 AM
Hi @tinhnho123
Yes, you will need to include that IP address in the split tunnel ACL.
You will also need to configure the command same-security-traffic permit intra-interface and also define a NAT rule for the RAVPN users. E.g.
object network RAVPN_USERS
subnet 10.4.4.0 255.255.255.0
nat (outside,outside) dynamic interface
HTH
10-23-2020 09:59 AM
Hi Rob,
Would it be the same if I have FMC and FTD for Anyconnect VPN?
10-23-2020 10:03 AM
Well you don't need the command same-security-traffic permit intra-interface on FTD, it's configured as standard unlike ASA. Everything else I mentioned above is required.
10-26-2020 06:42 AM
Hi Rob,
I've tried it on the FMC and it doesn't do it. Sorry, I'm new to FMC/FTD.
10-29-2020 04:56 PM
If you added the IP address 52.244.160.207 to the split tunnel ACL, and the NAT rule as @Rob Ingram suggested, and that still does not work, then I might suspect it might have something to do with the access control policy that maybe is denying that traffic?. Did you enable the Bypass Access Control policy for AnyConnect traffic? or you have it disabled?, if you have it disabled, then I think you need to add a rule on the security policy to allow the AnyConnect pool to reach the IP address 52.244.160.207. In that case, the source and destination interfaces would be outside.
10-29-2020 11:43 AM
Just to double-check, have you added the IP into the split-tunnel allowed list? If yes, can you see the traffic to 52.244.160.207 from the VPN is hitting the FTD?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide