Connect with us

Hi, what are you looking for?

Internet

AnyConnect Split Tunneling (Local Lan Access, Split Tunneling, Static & Dynamic (Domain)

AnyConnect Split Tunneling (Local Lan Access, Split Tunneling, Static & Dynamic (Domain)

-🖥️-

This article was created due to the COVID-19 pandemic

Cisco does not usually provide specific guidance on how You should design your own VPN. AnyConnect and ASA Remote Access VPN (RA-VPN) is very powerful with plenty of configuration options to help your organization deploy in whatever way best suits your needs. In response to the global COVID-19 pandemic, as customers move to 100% remote access, and combine that with 100% virtual meetings (eg: WebEx), Cisco is breaking with tradition and offering some best practice guidelines for RA-design VPNs.

Cisco’s guidelines, especially in this global response time, are to use Dynamic Split Tunneling to exclude DNS names related to real-time communication programs as a service (SaaS), such as WebEx.

Please see the blog by Aaron Woland regarding DST best practices.

Dynamic Split Tunneling – COVID-19 Best Practices

Note: This article covers all forms of split tunneling, including dynamic split tunneling (DST) for your instruction and guidance.

Due to the global COVID-19 pandemic, Cisco customers are increasing AnyConnect licenses to allow AnyConnect sessions to be augmented to the existing ASA/Firepower address. Link to free Cisco offers for the COVID-19 pandemic.

Items of note for Free AnyConnect licenses:

  • You are limited to the maximum number of VPN sessions supported by the header and not AnyConnect.
  • In many cases, customers add or reuse existing hardware to increase capacity in their VPN headers.

With most organizations moving to 100% work from home, there is a massive overburden on internet portals. Bandwidth is one of the effects of the sudden increase in AnyConnect sessions.

Allow access to local LAN

Local LAN Access allows users to maintain access to files [RFC1918] Home networks while connected to a secure VPN tunnel. The administrator does not require knowledge of the actual addressing scheme when configuring local LAN access. AnyConnect is able to deter the local network and dynamically adjust the list of safe paths to exclude the home network from tunneling.

The common use case here is to allow users to print locally which would not be possible with a full vpn tunnel session.

split tunneling

Split tunneling has been around for a long time and relies in its traditional form on static gateways using a standard access list to either include or exclude IP networks from a VPN tunnel.

Dynamic Split Tunnel

Dynamic Split Tunneling (DST) provides the ability to dynamically specify which domains will be included or excluded after a user resolves the domain using DNS. This function occurs after creating the tunnel and modifying the unsecured and secure paths according to the configuration of the administrators.

Segmentation of traffic based on domain

A good example would be to dynamically exclude traffic to SaaS services based on DNS resolution, so traffic destined for SaaS goes directly to the service, rather than the tunnel. Originally released with AC 4.5 and Enhanced In AC 4.6

AnyConnect 4.5.00058 New Features

AnyConnect 4.6.00362 New Features

ASA v9.0>. wanted

Split Tunnel Configuration

Note: This is more for user convenience, not to save bandwidth.

in a specific exclusion configuration; AnyConnect will not transfer traffic to or from the networks specified in the network list. Traffic to or from all other addresses is spent.

The active VPN client profile on the client must have local LAN access enabled. If the administrator has configured the Local LAN Access setting to be user controllable, the user will have the ability to toggle this functionality on/off using the Preferences tab in AnyConnect UI. To avoid this scenario, simply uncheck User Controls in the profile to ensure that local LAN access is always available.

Demo excludes users main RFC1918 address space from VPN

Demo of LAN Access – UX

Configure local LAN access

Local LAN ASDM Configuration Group Policy

Local LAN ASDM Configuration – Access List

AnyConnect Client Profile – Local LAN Access

AnyConnect Client Profile is an XML file located on the end users’ machine. The profile configured on the top end will always be pushed to the end user if the main party determines during session creation that the user does not have the most recent or newer valid profile.

AnyConnect Client Profile (VPN) is applied to Group Policy at the top end or. They are placed manually by the administrator using a software management solution. This profile controls most of AnyConnect VPN’s features; Local LAN access is one of them.

background:

AnyConnect will by default (secure) send all traffic through the tunnel if it is not specifically configured to do otherwise and

Although secure, a potential problem with doing so is high bandwidth consumption with user traffic directed to Internet and SaaS resources.

The solution:

Split tunneling as mentioned earlier is a method for selectively assigning traffic based on traditional IPv4/IPv6 networks or dynamically on the basis of domains to be excluded or included in the secure tunnel. This will reduce bandwidth consumption.

Two types of split tunneling:

split tunneling network

• Can be designed for inclusion or exclusion

• The traffic specified by the access list (including) will be diverted through a tunnel

• It will not tunnel the traffic specified by the access control list (exclude)

Dynamic Split Tunnel

• Can be designed for inclusion or exclusion

• The selected DNS domains will be tunneled into a list (including)

• We will not specifically kill the DNS domains specified in the (exclude) list

Includes split tunneling/specific tunneling

Tunnel-defined configurations route all traffic to or from networks specified in the network list through the tunnel. The data is transmitted to all other addresses explicitly.

Split tunnel display – UX

Split Tunnel Configuration

Include split tunnel
Configure ASDM – Group Policy

Configured in the Advanced Group Policy section

separate tunnel
ASDM Configuration – Access List

Dynamic-Split-Exclude-Domains configuration will provide dynamic splitting and tunnel exclusion after tunnel creation, based on host DNS domain name

AnyConnect will exclude the list of domains from the secure vpn tunnel and all other traffic will be sent through the secure vpn tunnel.

Dynamic Exclusion Display – UX

Exclude dynamic split tunnel configuration

ASDM Configuration – Attribute Type

Activation of dynamic split tunneling

Create a custom attribute type for dynamic exclusion scopes

This attribute type instructs AnyConnect to exclude any DNS names in a dynamic exclusion list from being passed through the VPN.

Dynamic split tunnel exclusion
ASDM Configuration – Attribute Name

This is a list of DNS names to exclude from the VPN tunnel

This configuration can be applied to a group policy or a dynamic access policy

Dynamic split tunnel exclusion
Configure ASDM – Group Policy

Dynamic split tunnel exclusion
Configure ASDM – Dynamic Access Policy (DAP)

Custom themes are sent to the AnyConnect client and used to configure features like Delayed Upgrade, PerApp VPN, and Dynamic Split Tunneling. A custom attribute has a type and a named value.

Another option is to configure Dynamic-Split included– Domains. This is the opposite behavior that is seen when the previous dynamic domains configuration is used for dynamic exclusion. AnyConnect will only send the domains included in the configuration via the secure vpn tunnel and all other traffic will be sent in the clear.

Dynamic Split Include Demo – UX

Includes dynamic split configuration

ASDM Configuration – Attribute Type

When creating this custom attribute, you can dynamically segment the traffic after creating the tunnel

Based on the host’s DNS domain name. By adding the dynamic domain splitting feature

Dynamic segmentation requires at least one static split that includes a network, and does one IP address, ie one of the DNS servers being pushed to the client.

Include dynamic split tunnel
ASDM Configuration – Attribute Name

This configuration can be applied to a group policy or a dynamic access policy.

Enter domains, use comma separated values

The domains listed here associated with the Dynamic-split-Include-domains attribute will pass the tunnel after DNS resolution.

Include dynamic split tunnel
Configure ASDM – Group Policy

Include dynamic split tunnel
ASDM Configuration – Static Split Embedding Network

Dynamic splitting requires at least one static split that includes a network,

A single IP address will do the trick, for example pushing one of the client’s DNS servers.

Dynamic split tunnel exclusion
Configure ASDM – Dynamic Access Policy (DAP)

Custom themes are sent to the AnyConnect client and used to configure features like Delayed Upgrade, PerApp VPN, and Dynamic Split Tunneling. A custom attribute has a type and a named value.

Enhanced dynamic split tunneling exclusion

When a dynamic split exclusion tunnel is configured with both split exclusion domains and separate inclusion, in order to dynamically exclude traffic from the tunnel, it must match at least one dynamic exclusion domain and no dynamic split includes domains.

  • Supported in AnyConnect v4.6>

Simple use case:

Client need to exclude traffic to google.com from vpn tunnel but they need traffic to specific google domains like; edu.google.com and classroom.google.com to pass the vpn tunnel

Enhanced DST exclusion display – UX

experimental

Exclude daylight saving time: google.com

DST include: edu.google.com, classroom.google.com

Enhanced configuration to exclude daylight saving time

Enhanced Dynamic Split Tunneling Exclusion – ASDM Configuration – Attribute Type

Activation of dynamic split tunneling

Create a custom attribute type for dynamic exclusion domains, dynamic segmentation, and dynamic inclusion domains

Attribute types and associated attribute names direct AnyConnect to what is excluded or included in Secure

Subway.

Exclude dynamic split tunneling – ASDM configuration – attribute name

This is a list of domain names to be excluded from the VPN tunnel

Note: This will usually be an exhaustive list of ranges separated by commas.

This configuration can be applied to a group policy or a dynamic access policy.

Include Dynamic Split Tunneling – ASDM Configuration – Theme Name

This configuration can be applied to a group policy or a dynamic access policy.

Enter domains, use comma separated values

The domains listed here associated with the Dynamic-split-Include-domains attribute will pass the tunnel after DNS resolution.

Exclude Dynamic Split Tunneling – ASDM Configuration – Group Policy

Include Dynamic Split Tunneling – ASDM Configuration – Group Policy

Dynamic Split Tunneling (also known as: SplitDNS) – Configure ASDM – Follow Group Policy.

Dynamic Split Tunnel Exclusion and Embedding – ASDM Configuration – Dynamic Access Policy

Custom themes are sent to the AnyConnect client and used to configure features like Delayed Upgrade, PerApp VPN, and Dynamic Split Tunneling.

A custom attribute has a type and a named value.

In this use case, the exclusion and inclusion configurations are applied.

Enhanced dynamic split includes tunneling

When a dynamic split-include tunnel is configured with both dynamic embedding and dynamic embedding scopes, the traffic that is marked for inclusion in the tunnel must match at least one of the dynamic embedding scopes but not match any dynamic-split-exclude domains.

Supported in AnyConnect v4.6…

[ad_1]
Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related

Internet

AnyConnect certificate-based authentication. Cisco community 👨‍💻 The information in this document is based on the following software and hardware versions: ASA 5510 running software...

Internet

AnyConnect: Install a self-signed certificate as a trusted source 👨‍💻 kmgmt-2879-cbs-220-config-security-port objective The goal of this article is to walk you through creating and...

Internet

ITProPortal . Portal 👨‍💻 We live in a dynamic moment in terms of technology. Even criminals are becoming more technically savvy and are using...

Internet

Download antivirus for free. Best antivirus protection 👨‍💻 Protecting your identity, banking information and privacy Cybercriminals want your credit card details, passwords and other...