10-17-2022 06:06 PM
Hi all,
I'm stuck here...we have split tunneling so most traffic doesn't go through our company VPN. I implemented dynamic split include for some external URLs that need to go through our VPN (as access to these URLs is only allowed from the company network) in our Cisco ASA and it shows those dynamic split include URLs in the Cisco AnyConnect client under Route Details/Secured Routes....which means they're forced through the VPN. Unfortunately, those URLs become unpingable for some reason once they are included in dynamic tunnel inclusion. I remove the dynamic split inclusion and they're reachable again....but that doesn't do me much good as the website greets me with the message saying I can only login from their approved network list...which dynamic split inclusion was supposed to solve if it worked.
I tried a few other random sites and same result...anything I add for dynamic split inclusion becomes unreachable. I saw one recommendation that you need to "Enable traffic between two or more interfaces/hosts" in Interface Settings but that's already enabled (both options). Any thoughts here on why the dynamic split include URLs become unreachable?
Solved! Go to Solution.
10-18-2022 06:47 AM
@FeddyKreuger correct.
The source address range would be the VPN pool network range. Example CLI configuration:
object network RAVPN_USERS
subnet 10.4.4.0 255.255.255.0
nat (outside,outside) dynamic interface
It sounds like you've already enabled same-security-traffic permit intra-interface from ASDM, this is required to hairpin the traffic.
10-18-2022 12:17 AM
@FeddyKreuger do you have a NAT rule for this traffic that is tunneled back to the ASA? You'd need a dynamic Auto NAT rule with the source as <outside interface name>
10-18-2022 06:39 AM
Thanks Rob, makes sense but now I'm trying to wrap my head around applying it just to that traffic. So the source is <outside interface name> but what is the source address range? The private IP range issued to VPN users? So you're translating the private VPN IP range that's now getting tunneled back to the ASA via dynamic tunnel inclusion to have a source address of our public IP when it makes its U-turn back outside our network to get to those sites?
10-18-2022 06:47 AM
@FeddyKreuger correct.
The source address range would be the VPN pool network range. Example CLI configuration:
object network RAVPN_USERS
subnet 10.4.4.0 255.255.255.0
nat (outside,outside) dynamic interface
It sounds like you've already enabled same-security-traffic permit intra-interface from ASDM, this is required to hairpin the traffic.
10-18-2022 07:28 AM
You're not translating the source address? I'm doing it through ASDM and for Action the Source and Destination address remain original? Looks that way per your CLI?
10-18-2022 07:37 AM
@FeddyKreuger the source address subnet (10.4.4.0/24) is hidden behind the outside interface. You need to select Dynamic Auto NAT - source interface OUTSIDE, destination interface OUTSIDE, source network RAVPN Pool and destination interface.
10-18-2022 08:07 AM
Sweet working.....CLI makes more sense at times. Thanks a bunch Rob!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide