Re: FirePower AnyConnect Split Tunneling (Hair Pinning) per User

122 · ‎11-13-2023

Hello there,

i got two FirePower 1140s and we currently use a split tuneling configuration. But i would like to define a full tunnel for specific users. Is there a way? I searched in this forum but i only found this method for certain domains.

kind regards and thanks for any help

MHM Cisco World · ‎11-13-2023

You can use by use group-alise
one group have group-policy with full tunnel
other group have group-policy with split

Thanks A Lot
MHM

Rob Ingram · ‎11-13-2023

@122 a couple of options. You could dynamically via RADIUS apply a different group policy to the specific users, this group policy would have split tunnel configured. Users that do not require split tunneling would receive the normal group policy configured under the connection profile that does not have split tunnel configured.

Alternativately you could use a different connection profile for the specific users that has split tunnel configured.

122 · ‎11-13-2023

Thanks for the fast reply. But i would all users to use the same gateway url so another profile would not work for me.

MHM Cisco World · ‎11-13-2023

https://integratingit.wordpress.com/2022/03/23/asa-group-url-and-alias/

there are two method, url and group-alias (this what I suggest)
so even if you use same GW URL you can use group-alias and make each user select it group.

Thanks A Lot
MHM

Rob Ingram · ‎11-13-2023

@122 then the first option I suggested, dynamically assigning a different group policy (either via RADIUS or LDAP) can still use the same connection profile.

122 · ‎11-22-2023

I am now at the NPS where i would like to configure the "Manufacturer specific" flag. Currently it is set to "acl=acl-vpnlan" how to use a group policy instead of an acl? kind regards

Rob Ingram · ‎11-22-2023

@122 use the Radius attribute 25 to map the group-policy, the returned value in the NPS policy must match the exact name of the group-policy as defined on the FTD.

Refer to this guide how to configure NPS https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

Aref Alsouqi · ‎11-13-2023

As @Rob Ingram mentioned, you can use different connection profiles where each one would be associated to its respective group policy. If you don't have a RADIUS server such as ISE on your network and you authenticate the users via certificates then you can create multiple AnyConnect profiles and push them to the users. In that case the users will be automatically connected to their connection profile without any manual intervention. However, if the authentication is via username and password, then the users would need to select the right connection profile from AnyConnect dropdown menu.

122 · ‎11-13-2023

Hello Aref,

so that the users are not confused i would like all users to use the same link/profile. So i think i will look into the radius server to solve this issue.

Aref Alsouqi · ‎11-13-2023

If you rely on AnyConnect profiles that will be pushed to the users endpoints, the connection will happen automatically based on the profile configuration, the users don't have to do anything, they just need to wait for the connection to be established, and they will be taken directly to their respective connection profile.