cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1419
Views
0
Helpful
3
Replies

Split Tunnel VPN & OSPF routes redistribution to Anyconnect Clients

DelfrCorp
Level 1
Level 1

I've exhausted most of my ASA configuration knowledge and google skills and am running out of idea on something I would like to implement with our company's ASA-5516.

 

We primarily use OSPF in our LAN, including with our ASA firewall. I want to create a SPlit VPN profile for our Anyconnect clients that would redistribute all routes learned via OSPF by our ASA to the Anyconnect clients upon connection. We do not want to create a new Network object for every network in our LAN to just place them in an ACL and have to constantly re-groom said ACL anytime a new network is added and an old one retired.

 

I need to basically create either a dynamic object group based on our OSPF routes, automatically update an ACL based on OSPF or otherwise inject OSPF routes to split VPN clients.

 

Any insights as to how this could be implemented and as to whether this is even possible?

Frederic Deleglise
Network Administrator
ImOn Communications
101 3rd Ave SW, Suite 300
Cedar Rapids, IA 52404
T (319) 200-4932
F (319) 261-4636
frederic.deleglise@ImOn.net
www.ImOn.net
2 Accepted Solutions

Accepted Solutions

The short answer is this can't be done with native features on ASA.
AnyConnect routes on the client are based on split acls. Even if you manage
to dynamically create object groups based on new routes using scripting
outside ASA, your clients have to reconnect to get the new subnets.

View solution in original post

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

There is an auto option in the ASA for the same. You have to go with a split ACL. I am not an expert in the Python or other languages but you can make some auto script which will export routing table and add or remove the entry in dynamic object group on the asa. Keep in mind that the user will required reconnect to get new routes.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

3 Replies 3

The short answer is this can't be done with native features on ASA.
AnyConnect routes on the client are based on split acls. Even if you manage
to dynamically create object groups based on new routes using scripting
outside ASA, your clients have to reconnect to get the new subnets.

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

There is an auto option in the ASA for the same. You have to go with a split ACL. I am not an expert in the Python or other languages but you can make some auto script which will export routing table and add or remove the entry in dynamic object group on the asa. Keep in mind that the user will required reconnect to get new routes.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

DelfrCorp
Level 1
Level 1

Does Anyone have any experience with configuring something of the sort or even some template I could use to get started with this?

Frederic Deleglise
Network Administrator
ImOn Communications
101 3rd Ave SW, Suite 300
Cedar Rapids, IA 52404
T (319) 200-4932
F (319) 261-4636
frederic.deleglise@ImOn.net
www.ImOn.net