Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1418
Views
0
Helpful
3
Replies

Split Tunnel VPN & OSPF routes redistribution to Anyconnect Clients

Go to solution
DelfrCorp
Level 1
Level 1

‎11-04-2019 02:22 PM - edited ‎02-21-2020 09:47 PM

I've exhausted most of my ASA configuration knowledge and google skills and am running out of idea on something I would like to implement with our company's ASA-5516.

 

We primarily use OSPF in our LAN, including with our ASA firewall. I want to create a SPlit VPN profile for our Anyconnect clients that would redistribute all routes learned via OSPF by our ASA to the Anyconnect clients upon connection. We do not want to create a new Network object for every network in our LAN to just place them in an ACL and have to constantly re-groom said ACL anytime a new network is added and an old one retired.

 

I need to basically create either a dynamic object group based on our OSPF routes, automatically update an ACL based on OSPF or otherwise inject OSPF routes to split VPN clients.

 

Any insights as to how this could be implemented and as to whether this is even possible?

Frederic Deleglise
Network Administrator
ImOn Communications
101 3rd Ave SW, Suite 300
Cedar Rapids, IA 52404
T (319) 200-4932
F (319) 261-4636
frederic.deleglise@ImOn.net
www.ImOn.net
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎11-04-2019 07:55 PM

The short answer is this can't be done with native features on ASA.
AnyConnect routes on the client are based on split acls. Even if you manage
to dynamically create object groups based on new routes using scripting
outside ASA, your clients have to reconnect to get the new subnets.

View solution in original post

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎11-04-2019 09:20 PM

Hi,

There is an auto option in the ASA for the same. You have to go with a split ACL. I am not an expert in the Python or other languages but you can make some auto script which will export routing table and add or remove the entry in dynamic object group on the asa. Keep in mind that the user will required reconnect to get new routes.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎11-04-2019 07:55 PM

The short answer is this can't be done with native features on ASA.
AnyConnect routes on the client are based on split acls. Even if you manage
to dynamically create object groups based on new routes using scripting
outside ASA, your clients have to reconnect to get the new subnets.
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎11-04-2019 09:20 PM

Hi,

There is an auto option in the ASA for the same. You have to go with a split ACL. I am not an expert in the Python or other languages but you can make some auto script which will export routing table and add or remove the entry in dynamic object group on the asa. Keep in mind that the user will required reconnect to get new routes.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
DelfrCorp
Level 1
Level 1

‎11-05-2019 08:28 AM

Does Anyone have any experience with configuring something of the sort or even some template I could use to get started with this?

Frederic Deleglise
Network Administrator
ImOn Communications
101 3rd Ave SW, Suite 300
Cedar Rapids, IA 52404
T (319) 200-4932
F (319) 261-4636
frederic.deleglise@ImOn.net
www.ImOn.net
0 Helpful
Customers Also Viewed These Support Documents