07-04-2023 01:40 AM
Hello.
I have a Cisco Firepower 1000 configured with SPLIT VPN.
I want to be able to access 2 external websites through CiscoASA (just as the internal servers in my company are accessed) and all other connections to the Internet to be able to access them as before through my home Internet provider
Thanks for any suggestions.
07-04-2023 07:28 AM
If your external websites have fixed public IP addresses, you can just include them in your SPLIT ACL entries. If they are not fixed, and they change, you can use the AnyConnect Dynamic Split Include feature which is shown in the link below
07-05-2023 12:42 AM
Thanks for your answers.
My external websites do not have fixed public IP addresses.
I added in dynamic-split-include-domains list, and I can see these sites are added in anyconnect in the "Dynamic Tunnel Inclussion" but I can't access them via HTTP or PING.
All other sites are working.
What I am doing wrong?
I think I must read more.
07-05-2023 01:04 AM
07-05-2023 01:29 AM
I tried but I probably don't understand exactly what to do. I'm still reading about U-Turn
07-04-2023 08:08 AM
You need split VPN with u-turn NATing
07-05-2023 01:35 AM
I read and tried some scenarios without success.
Can you be a little more clear?
Thanks!
07-05-2023 01:40 AM
this link explain all case of u-turn
07-07-2023 12:45 AM
07-08-2023 12:34 AM
sorry late reply
there are three category of NAT,
which one you select, you must select network object
07-10-2023 12:03 AM
Thanks for your answer.
Yes. I added those rules with Add "Network Object" Nat rule(please see the captures bellow)
07-10-2023 01:08 AM
friend
what these IP you use in object group ??
10.10....
172.17.....
07-10-2023 01:20 AM
172.17.0.0/32 is the network range from the internal company network.
172.17.200.118 is the internal IP of Cisco Firepower.
10.10.20.0/24 is the VPN POOL that is given to the Anyconnect clients
07-07-2023 08:10 AM
When you are connected to the headend, is the client able to talk to internet? i.e. does ping 8.8.8.8 work for the client?
Posting the output of `sh run nat` would also help
07-10-2023 12:20 AM
Thanks for your answer.
When I am connected to the internal VPN I can ping 8.8.8.8 and I can browse any site except for the ones included in Dynamic Tunnel inclusion.
Please see bellow some captures from Anyconnect and "sh run nat' output.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide