How to configure Cisco to access some sites through secured routes

alex lascu · ‎07-04-2023

Hello.

I have a Cisco Firepower 1000 configured with SPLIT VPN.
I want to be able to access 2 external websites through CiscoASA (just as the internal servers in my company are accessed) and all other connections to the Internet to be able to access them as before through my home Internet provider
Thanks for any suggestions.

Pavan Gundu · ‎07-04-2023

If your external websites have fixed public IP addresses, you can just include them in your SPLIT ACL entries. If they are not fixed, and they change, you can use the AnyConnect Dynamic Split Include feature which is shown in the link below

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/configure_vpn.html#task_v4x_ydm_pbb

alex lascu · ‎07-05-2023

Thanks for your answers.
My external websites do not have fixed public IP addresses.
I added in dynamic-split-include-domains list, and I can see these sites are added in anyconnect in the "Dynamic Tunnel Inclussion" but I can't access them via HTTP or PING.
All other sites are working.

What I am doing wrong?

I think I must read more.

Pavan Gundu · ‎07-05-2023

Have you also added a NAT rule for U-Turn traffic as mentioned earlier by MHM.

alex lascu · ‎07-05-2023

I tried but I probably don't understand exactly what to do. I'm still reading about U-Turn

MHM Cisco World · ‎07-04-2023

You need split VPN with u-turn NATing

alex lascu · ‎07-05-2023

I read and tried some scenarios without success.
Can you be a little more clear?
Thanks!

MHM Cisco World · ‎07-05-2023

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

this link explain all case of u-turn

alex lascu · ‎07-07-2023

Thanks

I try to follow the guide but something is missing or I don't understand.
I have added 2 network objects as in the screenshots below.
My Cisco ASA internal IP is 172.17.200.118 and the IP obtained by anyconnect is 10.10.20.45.

MHM Cisco World · ‎07-08-2023

sorry late reply

there are three category of NAT,
which one you select, you must select network object

alex lascu · ‎07-10-2023

Thanks for your answer.

Yes. I added those rules with Add "Network Object" Nat rule(please see the captures bellow)

MHM Cisco World · ‎07-10-2023

friend
what these IP you use in object group ??
10.10....
172.17.....

alex lascu · ‎07-10-2023

172.17.0.0/32 is the network range from the internal company network.

172.17.200.118 is the internal IP of Cisco Firepower.

10.10.20.0/24 is the VPN POOL that is given to the Anyconnect clients

Pavan Gundu · ‎07-07-2023

When you are connected to the headend, is the client able to talk to internet? i.e. does ping 8.8.8.8 work for the client?

Posting the output of `sh run nat` would also help

alex lascu · ‎07-10-2023

Thanks for your answer.

When I am connected to the internal VPN I can ping 8.8.8.8 and I can browse any site except for the ones included in Dynamic Tunnel inclusion.

Please see bellow some captures from Anyconnect and "sh run nat' output.