Solved: Re: Cisco ASA 5508-X - Issue with Split-tunnel

steve32881 · ‎01-23-2021

Hi, I have a problem with my AnyConnect Split-tunnel configuration. When connected I am able to ping or reach internal subnets which have been specified in the split-tunnel ACL but I can't ping nor reach any public sites that I want to be reached through the VPN.

When checking my routing table, I can see that the route to that site that I added to the split-tunnel ACL is there but when trying to reach it or ping it nothing works.

I am able to do so if I remove that site from the ACL, but that means that traffic is going out from my normal home connection.

The issue is not just a DNS problem as I can't even ping the domain. Any help will be much appreciated! Thanks =]

Also if someone can explain to me why the hitcount on the split-tunnel ACLs remain 0 would be great.

Rob Ingram · ‎01-23-2021

@steve32881

If you are tunneling the traffic through the VPN and out to the internet, you'll need a NAT rule, for the anyconnect network e.g.

object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.10.0 255.255.255.0
 nat (outside,outside) dynamic interface

HTH

View solution in original post

balaji.bandi · ‎01-23-2021

Are you not able to reach the external site? is this DNS resolution ok?

can you post-show run to look at the config?

or look below example guide to give you the right direction :

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

https://www.petenetlive.com/KB/Article/0001239

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

steve32881 · ‎01-23-2021

Hi, thanks for the quick reply. I did attach the config with the original post.

As for your question, when connected with the VPN, DNS resolution seems to work but can't access the site nor ping it.

steve32881 · ‎01-23-2021

Any idea why this is happening? thanks

Rob Ingram · ‎01-23-2021

@steve32881

If you are tunneling the traffic through the VPN and out to the internet, you'll need a NAT rule, for the anyconnect network e.g.

object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.10.0 255.255.255.0
 nat (outside,outside) dynamic interface

HTH

steve32881 · ‎01-23-2021

Thanks Rob I'll try that out and let you know.

steve32881 · ‎01-23-2021

Hey Rob, that was spot on mate thank you very much! Issue fixed =]

MHM Cisco World · ‎01-23-2021

...

steve32881 · ‎01-23-2021

Hey thanks for the feedback!

nat (outside,outside) source dynamic OBJ-ANYCONNECT-SUBNET SNAT-IP-XXX destination static XXX-REMOTE XXX-REMOTE

This rule I use it so that my anyconnect users can reach a subnet which sits behind an IPSec site-to-site tunnel. That remote location required that they always see the same IP coming towards them so the above is a SNAT rule with that object being the IP that they want to see coming towards them.

Hope thats clear =]

Cisco ASA 5508-X - Issue with Split-tunnel

AnyConnect Split Tunneling (Local Lan Access, Split Tunneling, Static & Dynamic (domain)

What about split tunnelling?

Dynamic Split Tunneling in AnyConnect VPN

FlexConnect Split Tunneling

Configure ASA/AnyConnect Dynamic Split Tunneling