Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1819
Views
0
Helpful
3
Replies

Cisco Anyconnect iphone hotspot docker container

Rakesh maharjan
Level 1
Level 1

‎11-24-2016 09:01 PM - edited ‎02-21-2020 09:04 PM

Hi,

I have configured Cisco Anyconnect for both Full Tunnelling and Split Tunnelling.

-->Problems on Split Tunnelling:

Iphone hotspot / tethered anyconnect client resolv and internal and external sites. I can access all the internal and external sites only IP address.

But, if i connect to a android phone as a hotspot, or a different wireless network, and use Cisco Anyconnect, it works fine. There's no issue. The issue is only with iphone hotspot.

iPhone as a hotspot and have VPN connected etc/resolv.conf cannott be found on mac, I am using El Capitan.

-->Solution on Split Tunnelling:

In  AnyConnect Group Policy, go to Advanced > Split Tunneling

for "DNS Names" uncheck "inherit" and manually define your LAN's internal DNS domain name.

for "Send All DNS Lookups Through Tunnel" uncheck "inherit" and manually select "no". 

For reasons I've not yet figured out.

this is a sticking point for  iphone and Mac environment.

I may need to define a separate Group Policy for your OS X users until Cisco/Apple figure out their bug.

It should work immediately after disconnecting/reconnecting to AnyConnect.

-->But i still cannot access docker environment:

Weird Part is if I have VMfusion and windows box in it, which then can access all docker environment as network adapter in NAT setting.

I would really appreciate any further ideas. I am just wondering how people are using iphone-hotspot and docker environment.

Thanks!

Rakesh Maharjan

Labels:
0 Helpful
3 Replies 3

Shakti Kumar
Cisco Employee
Cisco Employee

‎11-24-2016 11:20 PM

Rakesh ,

your issue is discussed here

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116016-technote-AnyConnect-00.html

Thanks

Shakti

0 Helpful

Rakesh maharjan
Level 1
Level 1
In response to Shakti Kumar

‎11-28-2016 01:27 PM

Shakti,

It's really good documents, i really liked it thank you very much, i forgot to mention my ASA Software Version 9.5(2)10, ASDM Device Manager Version 7.5(2) and Cisco Anyconnect 4.1,  anyconnect-macosx-i386-4.1.04011-k9.pkg 1.

It works great once i assign DNS FQDN names in group policy--> advanced-->split-tunneling--uncheck inherit and assign my local DNS names. But the problem is i cannot access docker box.  So, i have to check inherit box to access docker box and its not working for iphone tethered hotspot anyconnect client.

thanks!

Rakesh

0 Helpful

Rakesh maharjan
Level 1
Level 1
In response to Rakesh maharjan

‎11-28-2016 03:53 PM

Solved :

I finally found the solution enabling client-bypass-protocol fixed my issue.

I have enabled client-bypass-protocol and that fixed my issue for iphone tethered hotspot to use anyconnect and access internal and external sites.

client-bypass-proxy

client-bypass-protocol { enable | disable }

no client-bypass-protocol { enable | disable }

Syntax Description

  • enable: If Client Bypass Protocol is enabled, the IP traffic for which the ASA did not assign an IP address type is sent from the client in the clear.
  • disable: If Client Bypass Protocol is disabled, the IPv6 traffic for which the ASA did not assign an IP address type is dropped.

Defaults

  • Client Bypass Protocol is disabled by default in the DfltGrpPolicy.

Once again,thank you very much, sharing ideas!

Rakesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents