02-20-2023 01:42 PM
Hello.
Goal: To add host 1.1.1.1 to an anyconnect split-tunnel.
My below code is not working:
---
object-group network VENDOR1-GROUP
network-object host 1.1.1.1
access-list Split_Tunnel extended permit ip object-group VENDOR1-GROUP object VPN-Pool
---
Questions:
1. Can you tell me why this is not working?
2. Can you please write corrected code?
Thank you.
Solved! Go to Solution.
02-21-2023 06:39 PM - edited 02-21-2023 06:46 PM
I figured it out. Success confirmed.
Code that yielded success...
object network VENDOR1
host 1.1.1.1
object-group network ANYCONNECT-VPN-VENDOR-OBJECTS
network-object object VENDOR1
nat (Inside,Outside) source static ANYCONNECT-VPN-VENDOR-OBJECTS ANYCONNECT-VPN-VENDOR-OBJECTS destination static ANYCONNECT-POOL ANYCONNECT-POOL
access-list Split_Tunnel extended permit ip host 1.1.1.1 object ANYCONNECT-POOL
---
TASK COMPLETE.
Thank all of you for your valuable help.
02-20-2023 01:48 PM
@jmaxwellUSAF are you referencing the split tunnel ACL in the group policy and configured to tunnel specified?
group-policy POLICYNAME attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel
02-20-2023 02:01 PM - edited 02-20-2023 02:05 PM
(i think) yes, correct...
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
How do I determine which group policy this Anyconnect VPN is mapped to?
02-20-2023 02:05 PM - edited 02-20-2023 02:07 PM
@jmaxwellUSAF and is that the group-policy that has been assigned to the session? show vpn-sessiondb detail anyconnect will tell you the applied group-policy for that user.
As you've reconfigured the default group-policy that will only be applied if you have not explictly referenced that group-policy under the tunnel-group.
Ideally you'd use a standard ACL, as mentioned before the destination object is ignored.
02-20-2023 02:11 PM
(always obfuscated)
ASA-5525# show vpn-sessiondb detail anyconnect
Group Policy : HAWAII_VPN Tunnel Group : Enterprise-Employee
02-20-2023 02:17 PM
@jmaxwellUSAF and what is the configuration of the HAWAII_VPN group-policy, is it configured for split tunnel aswell or ?
Check the "Route Details" tab in AnyConnect, is the route in the "Secured routes"?
02-20-2023 02:31 PM
My enterprise does not allow me to use the ASDM.
Below is pruned from "sh run"...
group-policy Hawaii_VPN internal
group-policy Hawaii_VPN attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
client-bypass-protocol enable
02-20-2023 02:41 PM
@jmaxwellUSAF Check the "Route Details" tab in AnyConnect, is the route or any other routes define in the split_tunnel ACL in the "Secured routes"?
02-20-2023 02:54 PM
"Check the "Route Details" tab in AnyConnect"
My enterprise does not allow me to use the ASDM.
Below is pruned from "sh run"...
group-policy Hawaii_VPN internal
group-policy Hawaii_VPN attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
client-bypass-protocol enable
02-20-2023 02:57 PM
@jmaxwellUSAF AnyConnect is the VPN client, I am not referring to ASDM. I want to know if when the user is logged onto the VPN, whether the AnyConnect client has received the split tunnel routes.
Example:
02-20-2023 03:06 PM
Yes, the route is verified visible in the vpn client gui.
02-20-2023 03:13 PM
@jmaxwellUSAF so the is this traffic routed back to the ASA then?
Do you have the relevant configuration to allow access - a NAT exemption rule from RAVPN users to object 1.1.1.1
Or is this an internet resource tunneled back to the ASA? If so configure - same-security-traffic permit intra-interface and a NAT rule to allow RAVPN users to access the internet.
object network RAVPN
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface
02-20-2023 04:01 PM
Anyconnect VPN workers need to access VENDOR1 site at 1.1.1.1.
I think above code you mention is already installed. (I understand the reason for that code, I don't understand exactly if my specific code needs specific adjustments to the above familiar code.)
Ther exist many exemptions like this in the Split tunnel. Clearly i'm configuring this wrong for 1.1.1.1. I tried to reverse-engineer old code, but I'm failing.
What is my next troubleshoot step to fix this?
02-21-2023 06:39 PM - edited 02-21-2023 06:46 PM
I figured it out. Success confirmed.
Code that yielded success...
object network VENDOR1
host 1.1.1.1
object-group network ANYCONNECT-VPN-VENDOR-OBJECTS
network-object object VENDOR1
nat (Inside,Outside) source static ANYCONNECT-VPN-VENDOR-OBJECTS ANYCONNECT-VPN-VENDOR-OBJECTS destination static ANYCONNECT-POOL ANYCONNECT-POOL
access-list Split_Tunnel extended permit ip host 1.1.1.1 object ANYCONNECT-POOL
---
TASK COMPLETE.
Thank all of you for your valuable help.
02-20-2023 02:03 PM
My below code is not working: <<- can we know what you get when you enter command ??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide