03-08-2023 06:15 AM
Hi,
I'd like to know if something is possible...
Currently, all traffic goes via the AnyConnect VPN no matter what the destination is. I need to enable split tunneling for a single domain name which will need to go via the local breakout rather than the VPN, as the DNS server used for the current VPN traffic cannot resolve this public domain name (corporate DNS, only resolves internal DNS names).
I'm no VPN expert so correct me if I'm wrong, but the issue I see at the moment is that any traffic hitting the ASA - even if split tunneling is enabled - would use the VPN corporate DNS server. This would defeat the object as the DNS server would not return an IP for this single FQDN, and the traffic would not breakout locally.
What would be the best way of doing this, or is it even possible? I've read a little on split-DNS, but not entirely sure if this would meet the requirements? Any assistance (or corrections to my logic) is much appreciated.
03-08-2023 06:20 AM - edited 03-08-2023 06:22 AM
split tunnel either by IP or by DNS
here you run split tunnel by IP
and there is one domain your client need to resolve by local DNS ??
if yes all above try below command
split-tunnel-all-dns disable
03-08-2023 06:34 AM - edited 03-08-2023 06:35 AM
Thanks for that info.
Excuse my ignorance, but what do you mean split tunnel by IP rather than DNS? You're correct in saying that there's one domain name that needs to go out locally.
The environment I'm working on is a live one, so just mainly want to ensure that I full understand what the command does so I'll know if it will affect current functionality for users for any DNS resolutions & general traffic.
03-08-2023 06:48 AM - edited 03-08-2023 06:49 AM
normal with split-tunnel that the ASA DNS server resolve domain if failed then the client will use DNS server list in interface,
this brock if you config
split-tunnel-all-dns
this meaning that the client always send DNS request to ASA DNS server
so what we need disable this feature.
03-08-2023 06:58 AM
So lets say I wanted bbc.co.uk to go out locally but all other traffic via the VPN, I'd need to do the following to enable dynamic split tunnelling with local DNS resolution for excluded addresses:
webvpn
anyconnect-custom-attr dynamic-split-exclude-domains description Exclude BBC
anyconnect-custom-data dynamic-split-exclude-domains exclude-bbc www.bbc.co.uk
group-policy GroupPolicy_AnyConnect-01 attributes
anyconnect-custom dynamic-split-exclude-domains value exclude-bbc
split-tunnel-all-dns disable
Let me know if anything else required
03-08-2023 07:04 AM - edited 03-08-2023 07:04 AM
you NOW use split-tunnel with ACL ??
03-08-2023 08:57 AM
Configure ASA/AnyConnect: Dynamic Split Tunneling - Cisco <<- depend on DNS
Configure AnyConnect Secure Mobility Client with Split Tunneling on an ASA - Cisco <<- depend on ACL (static)
So I suggest use Split with ACL and use split-tunnel-all-dns
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide