Solved: Re: Dynamic Split Tunneling or ACL with FQDNs

Myky · ‎06-20-2022

Hi guys,

ASA and AnyConnect are new to me.

There is a requirement to inject dynamic IP address(s) based on the DNS lookups for a specific website via the AnyConnect tunnel. What above-mentioned technics is the best for this?

Thanks,

myky

Rob Ingram · ‎06-20-2022

@Myky yes, I don't see why not - I've seen nothing to say you cannot. The example in this guide use split tunnel and dynamic split tunnel on the same group-policy.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215383-asa-anyconnect-dynamic-split-tunneling.html

View solution in original post

Rob Ingram · ‎06-20-2022

@Myky you configure the FQDN when configuring dynamic split tunneling, these are resolved when access and if matched traffic is split tunnelled and not routed through the VPN. Example.

Myky · ‎06-20-2022

@Rob Ingram thanks so much for your reply. In my case, I actually want to include/inject that dynamically resolved IP to the tunnel.

Ok, so dynamic split-tunnel will do the trick then. Will it work with the conjunction of to already existing "split-tunnel-network-list" ACL:

group-policy GROUP-POLICY attributes
 dns-server value x.x.x.x
 vpn-session-timeout 720
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUN
 default-domain value ads
 client-bypass-protocol enable
 address-pools value POOL
 webvpn

Thanks,

myky

Rob Ingram · ‎06-20-2022

@Myky yes, I don't see why not - I've seen nothing to say you cannot. The example in this guide use split tunnel and dynamic split tunnel on the same group-policy.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215383-asa-anyconnect-dynamic-split-tunneling.html

Myky · ‎06-21-2022

Thanks Rob!