Cisco AnyConnect – Troubleshooting Internet Tunneling Issues

ciscocisco-anyconnectcisco-asasplit-tunnelingvpn

I have set up the ASA as VPN Server (SSL). Everything works great. I can reach every office network and also the Internet.

Now I noticed that on our old network, the configuration was different. When we connected over the old VPN (IPsec), and we browsed the Internet, we didn't use the tunnel to our router. We used the Internet of our Client.

In other words, we didn't appear with the outside IP address from the office router to the Internet, we appeared with our own IP address (from my home).

I googled, but I don't find the correct configuration tutorial. Maybe I'm looking wrong. What I need is Split tunneling.

Best Answer

You can define an ACL and apply the ACL under the group policy using the split tunnel value command. You can then apply the group policy to the tunnel group.

It's explained in the documentation here:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html#anc13

Below will tunnel traffic only for the 10.10.0.0/16 network.

access-list Split standard permit 10.10.0.0 255.255.0.0

group-policy ANYCONNECT-POLICY attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split

tunnel-group ANYCONNECT general-attributes
 default-group-policy ANYCONNECT-POLICY

If you open your anyconnect client when connected and click the cog (advanced properties) and click on the route details tab you will see 10.10.0.0/16 as a secured route and 0.0.0.0/0 as an unsecured route.

Related Solutions

Vpn – Installing a Cisco ASA VPN into an existing network

Yes, what you suggest would work just fine, assuming that you have control over the existing default gateway/router for the subnet on each side. Variations on this same theme can be used to provide VPN backups to a primary connectivity method (MPLS, point-to-point T1/T3, etc.) using route tracking, static routes with a higher AD 'underneath' a dynamically learned route on the primary connection, etc.

Client VPN Failing After ASA Upgrade with Active LAN to LAN Tunnel

Yes, the device can be instructed to accept the client VPN connections from the peer that it already has an open tunnel with.

This is done by updating the dynamic map to include new entries with a configured peer address.

So, with this existing configuration accepting a dynamic connection from any address:

crypto map vpnmap 10 match address peer_acl
crypto map vpnmap 10 set peer 192.0.2.15
crypto map vpnmap 10 set ikev1 transform-set ESP-AES-SHA1
crypto map vpnmap 65500 ipsec-isakmp dynamic OUTSIDE_DYN_MAP
crypto dynamic-map OUTSIDE_DYN_MAP 100 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_DYN_MAP 100 set security-association lifetime seconds 86400
crypto dynamic-map OUTSIDE_DYN_MAP 100 set reverse-route

..the dynamic map can be edited to allow client VPN connections from the 192.0.2.15 peer:

crypto map vpnmap 10 match address peer_acl
crypto map vpnmap 10 set peer 192.0.2.15
crypto map vpnmap 10 set ikev1 transform-set ESP-AES-SHA1
crypto map vpnmap 65500 ipsec-isakmp dynamic OUTSIDE_DYN_MAP
crypto dynamic-map OUTSIDE_DYN_MAP 10 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_DYN_MAP 10 set security-association lifetime seconds 86400
crypto dynamic-map OUTSIDE_DYN_MAP 10 set reverse-route
crypto dynamic-map OUTSIDE_DYN_MAP 10 set peer 192.0.2.15
crypto dynamic-map OUTSIDE_DYN_MAP 100 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_DYN_MAP 100 set security-association lifetime seconds 86400
crypto dynamic-map OUTSIDE_DYN_MAP 100 set reverse-route

..and client IPsec connections will now be allowed from 192.0.2.15 despite having an active LAN to LAN tunnel.

Best Answer

Related Solutions

Vpn – Installing a Cisco ASA VPN into an existing network

Client VPN Failing After ASA Upgrade with Active LAN to LAN Tunnel

Related Topic