Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
780
Views
0
Helpful
3
Replies

DACLs and Dynamic Split Tunnelling

adfrad
Level 1
Level 1

‎11-23-2020 11:50 AM

DACLs oh how I love them.

We have lots of users requiring specific routes for their projects, and we have set up DACLs based upon the connection profile. It works well, works across multiple VPN endpoints and can be comprehended by my little brain.

With the upsurge in bandwidth from everyone working from home, I have been spending time trying to make Dynamic Split Tunnelling work, which it does, until the DACLs get involved and overwrite all the DST configuration.

Is it possible to get them both working at the same time?

Labels:
0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎11-23-2020 09:52 PM

Can you please explain more on what you are looking for?
0 Helpful

adfrad
Level 1
Level 1
In response to Mohammed al Baqari

‎11-23-2020 11:55 PM

Sure

The ultimate aim is to have an AnyConnect Profile which will have DST set up to allow direct connection to trusted external sites (e.g. Office 365) everything else should go down the VPN.

The complication arises in that I have approx 15 AnyConnect Profiles, and each one requires a unique IP range and route (this is to allow users to connect to specific services on IPSEC VPNs).

At the moment, we use the AnyConnect ASA config to assign the IP range, and the ISE to assign routes via DACLs (based on the profile name).

When we try to use DST without the DACLs, DST works. As soon as we enable the DACLs, we lose DST.

Hope that's a little clearer

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to adfrad

‎11-24-2020 01:47 AM

Hi,

My recommendation on DST to avoid it if you can. Unless your boxes are
overloaded with a number of connections. If you continue with it, you
should expect intermittent outlook disconnections, teams disconnections,
intermittent failures to join teams meetings, intermittent failures on
desktop shares. This is the conclusion after thorough testing. Also, this
is the reason for your problem because some traffic still goes over the
tunnel even with DST on.

If you still want to continue, you can configure your DACLs as follow:

1. Allow user-based traffic
2. Deny all traffic explicitly from VPN pool range to RFC1918 subnets.
3. Allow any any to port 443 and 80


***** please remember to rate useful posts

0 Helpful
Customers Also Viewed These Support Documents