Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1420
Views
0
Helpful
1
Replies

Route internet traffic over cisco anyconnect.

fwitron1981
Level 1
Level 1

‎09-12-2021 08:34 PM

I have a cisco ASA 9.5 and has configured Cisco AnyConnect for remote users. It is configured with split tunneling which all internet traffic is routed over the users internet, now we want to have all the internet traffic to be routed over the Cisco Anyconnect client so all the internet traffic will go out of corporate internet link.

Any thoughts anyone that can support me on how to accomplish this.


This is the setup let me know what needs to be change to accomplished the request.

 

group-policy CiscoVPN internal
group-policy CiscoVPN attributes
wins-server value 192.168.110.x 192.168.110.x
dns-server value 192.168.110.x 192.168.110.x
dhcp-network-scope 172.31.4.0
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CiscoVPN_splitTunnelAcl

 

access-list CiscoVPN_splitTunnelAcl standard permit 10.1.12.0 255.255.255.0

Thanks All

Labels:
0 Helpful
1 Reply 1

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-12-2021 10:51 PM

Hi @fwitron1981,

You need to change your split-tunnel policy from 'tunnelspcified' to 'tunelall'. In this case, you'll no longer need ACL 'CiscoVPN_splitTunnelAcl'. I would also advise to restrict your VPN protocols to what is actually required. Assuming that you only use SSL client, an example would look something like:

group-policy CiscoVPN attributes
wins-server value 192.168.110.x 192.168.110.x
dns-server value 192.168.110.x 192.168.110.x
dhcp-network-scope 172.31.4.0
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
no split-tunnel-network-list value CiscoVPN_splitTunnelAcl

Please remember that you now have to handle all traffic over this VPN gateway (e.g. routing, ACL, NAT, etc.). If traffic should also go to the internet directly from this gateway, that you'll need to configure U-turn. I would also advise creation of new tunnel-group/group-policy for testing this setup, and, once you are happy with all parameters, you can go and modify your production group-policy.

BR,

Milos

0 Helpful
Customers Also Viewed These Support Documents