Solved: Dynamic Split Inclusion Implemented but Sites Don't Load

FeddyKreuger · ‎10-17-2022

Hi all,

I'm stuck here...we have split tunneling so most traffic doesn't go through our company VPN. I implemented dynamic split include for some external URLs that need to go through our VPN (as access to these URLs is only allowed from the company network) in our Cisco ASA and it shows those dynamic split include URLs in the Cisco AnyConnect client under Route Details/Secured Routes....which means they're forced through the VPN. Unfortunately, those URLs become unpingable for some reason once they are included in dynamic tunnel inclusion. I remove the dynamic split inclusion and they're reachable again....but that doesn't do me much good as the website greets me with the message saying I can only login from their approved network list...which dynamic split inclusion was supposed to solve if it worked.

I tried a few other random sites and same result...anything I add for dynamic split inclusion becomes unreachable. I saw one recommendation that you need to "Enable traffic between two or more interfaces/hosts" in Interface Settings but that's already enabled (both options). Any thoughts here on why the dynamic split include URLs become unreachable?

Rob Ingram · ‎10-18-2022

@FeddyKreuger correct.

The source address range would be the VPN pool network range. Example CLI configuration:

object network RAVPN_USERS
 subnet 10.4.4.0 255.255.255.0
 nat (outside,outside) dynamic interface

It sounds like you've already enabled same-security-traffic permit intra-interface from ASDM, this is required to hairpin the traffic.

View solution in original post

Rob Ingram · ‎10-18-2022

@FeddyKreuger do you have a NAT rule for this traffic that is tunneled back to the ASA? You'd need a dynamic Auto NAT rule with the source as <outside interface name>

FeddyKreuger · ‎10-18-2022

Thanks Rob, makes sense but now I'm trying to wrap my head around applying it just to that traffic. So the source is <outside interface name> but what is the source address range? The private IP range issued to VPN users? So you're translating the private VPN IP range that's now getting tunneled back to the ASA via dynamic tunnel inclusion to have a source address of our public IP when it makes its U-turn back outside our network to get to those sites?

Rob Ingram · ‎10-18-2022

@FeddyKreuger correct.

The source address range would be the VPN pool network range. Example CLI configuration:

object network RAVPN_USERS
 subnet 10.4.4.0 255.255.255.0
 nat (outside,outside) dynamic interface

It sounds like you've already enabled same-security-traffic permit intra-interface from ASDM, this is required to hairpin the traffic.

FeddyKreuger · ‎10-18-2022

You're not translating the source address? I'm doing it through ASDM and for Action the Source and Destination address remain original? Looks that way per your CLI?

Rob Ingram · ‎10-18-2022

@FeddyKreuger the source address subnet (10.4.4.0/24) is hidden behind the outside interface. You need to select Dynamic Auto NAT - source interface OUTSIDE, destination interface OUTSIDE, source network RAVPN Pool and destination interface.

FeddyKreuger · ‎10-18-2022

Sweet working.....CLI makes more sense at times. Thanks a bunch Rob!