Re: VPN split tunneling

Gonzo1 · ‎06-08-2018

Hello,

We use split tunneling for our remote users over the Cisco AnyConnect VPN and allthe interesting traffic is sent over it (servers subnets etc). The internet uses the users local router/gateway and doesn't traverse the VPN.

I've been asked to push 1 internet based website over the VPN though, is this even possible? Or do I have to push all internet traffic over the VPN?

Thanks

Bogdan Nita · ‎06-08-2018

Hi @Gonzo1,

It is possible, you just need to add the site ip to your split-tunnel access-list.

You also probably need to do a u-turn nat for the anyconnect ips:

same-security-traffic permit intra-interface
!
object network OBJ-AnyconnectIPs
subnet x.x.x.x x.x.x.x
nat (outside,outside) dynamic interface

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

HTH

Bogdan

Gonzo1 · ‎06-08-2018

Hi,

For this external IP can I use an FQDN as it seems to be a few addresses under the FQDN?

Thanks

Bogdan Nita · ‎06-08-2018

Yes, fqdns can be used as well, but you might want to check that the address will always be resolved by the asa and anyconnect clients to the same ip or list of ips.

Gonzo1 · ‎06-08-2018

Trying this shortly and will let you know :)

Thanks

Gonzo1 · ‎06-08-2018

I'm in the ADSM this time and I'm gone to the Group Policy > Split Tunneling > My Network List and edited it but the ACE only allows me to add IPs here. I've created the FQDN object but doesn't show up.

Gonzo1 · ‎06-08-2018

Regarding the "subnet" below this is the VPN pool subnet?

object network OBJ-AnyconnectIPs
subnet x.x.x.x x.x.x.x
nat (outside,outside) dynamic interface

Bogdan Nita · ‎06-08-2018

correct