Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
473
Views
0
Helpful
2
Replies

Split Tunneling o Any Connect !

kthned
Level 3
Level 3

‎03-14-2014 07:17 AM

Hi 

I want to enable split tunneling on cisco ASA - Any Connect clients. So the idea is that all Corporate destined traffic carries inside the tunnel while the rest goes outside of tunnel. 

Story does not end here :) I foresee one issue with this, i.e. client accessing to specific external websites (www.abc.com) will be blocked as the websites only permit our corporate IPs range. We cannot presume the IP range of abc.com (e.g. facebook.com) . Is there any way to enable split tunneling and also users traffic for specific websites to go via tunnel ?

Regards,

Umair

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-14-2014 03:31 PM

The destination address argument in an access-list entry that defines the network list to be split tunneled can include an FQDN for the destination.

We seldom include those since the DNS lookup then needs to be done by the ASA and that can present a performance bottleneck.

0 Helpful

kthned
Level 3
Level 3
In response to Marvin Rhoads

‎03-17-2014 02:00 AM

Thanks for your reply. Do you have any document or reference to share.

Applying fqdn extended ACL to a group is failed in my case :(

asa1(config-group-policy)# split-tunnel-network-list value splittunnel_fqdn
ERROR: Access-list splittunnel_fqdn contains user, user-group, security-group or FQDN objects. These are not supported by group policies.

 

Regards,

Umair

0 Helpful
Customers Also Viewed These Support Documents