03-14-2014 07:17 AM
Hi
I want to enable split tunneling on cisco ASA - Any Connect clients. So the idea is that all Corporate destined traffic carries inside the tunnel while the rest goes outside of tunnel.
Story does not end here :) I foresee one issue with this, i.e. client accessing to specific external websites (www.abc.com) will be blocked as the websites only permit our corporate IPs range. We cannot presume the IP range of abc.com (e.g. facebook.com) . Is there any way to enable split tunneling and also users traffic for specific websites to go via tunnel ?
Regards,
Umair
03-14-2014 03:31 PM
The destination address argument in an access-list entry that defines the network list to be split tunneled can include an FQDN for the destination.
We seldom include those since the DNS lookup then needs to be done by the ASA and that can present a performance bottleneck.
03-17-2014 02:00 AM
Thanks for your reply. Do you have any document or reference to share.
Applying fqdn extended ACL to a group is failed in my case :(
asa1(config-group-policy)# split-tunnel-network-list value splittunnel_fqdn
ERROR: Access-list splittunnel_fqdn contains user, user-group, security-group or FQDN objects. These are not supported by group policies.
Regards,
Umair
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide