How does AnyConnect VPN split tunneling work for the ASA assigned IP network?
Page 10-4 of the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1 states:
“With AnyConnect, the client passes traffic to all sites specified in the split tunneling policy you configured, and to all sites that fall within the same subnet as the IP address assigned by the ASA. For example, if the IP address assigned by the ASA is 10.1.1.1 with a mask of 255.0.0.0, the endpoint device passes all traffic destined to 10.0.0.0/8, regardless of the split tunneling policy.”
Based on this I would believe that if the ASA assigned an IP of 192.168.10.12 with a 255.255.255.0 mask that the endpoint client would then send all traffic for the 192.168.10.0/24 network through the VPN tunnel and I should be able to see that traffic drop out of the tunnel on the ASA. If I were to attempt to ping any other client IP in use in the 192.168.10.0/24 network I should be able to see that traffic traverse the VPN and at least get to the ASA.
Are you saying that the traffic is not passing? What method are you using to observe if the traffics is arriving at the ASA? Packet capture? If the traffic isn't arriving, are you also dealing with NAT?
I apologize in advance for the long winded explanation but I want to ensure that I provide the details.
There is no NAT involved here.
For testing I am attempting to capture the traffic on both of the VPN firewall configured interfaces but I get nothing.
Just to be clear, the problem has been resolved by removing the VPN IP Pool network (192.168.10.0/24) from the split tunnel acl but I am attempting to understand the behavior based on the Cisco AnyConnect documentation.
This issue began as a problem with looping traffic between two directly connected firewalls. The first firewall is the VPN firewall while the second is an internal firewall. The VPN firewall has the IP Pool configured as 192.168.10.0/24 while the Internal Firewall has a route to send traffic destined for that VPN IP Pool (192.168.10.0/24) to the VPN firewall. Here's a rough diagram to help explain.
Internet ----------------- VPN FW ----------------------- Internal FW
IP Pool: Route:
192.168.10.0/24 192.168.10.0/24 --> VPN FW
192.168.0.0/16 --> Internal FW
The original split-tunnel acl was just the entire 192.168.0.0/16 which included the VPN Pool network (192.168.10.0/24). With that configuration in place we were seeing lots of broadcast and Windows Network discovery traffic being transmitted through the VPN tunnel and hitting the Internal firewall.
We reconfigured the split tunnel acls to omit the VPN IP Pool (192.168.10.0/24) and the issue has been resolved.
What doesn’t make sense is why the issue has disappeared?
According to the documentation the AnyConnect client should continue to route all traffic within the VPN IP Pool network (192.168.10.0/24) via the VPN tunnel.
Below are partial route tables from the VPN client machine before and after the split tunnel acl change.
The difference is that before the change the entire 192.168.0.0/16 network is routed via the tunnel as shown in the second line of the BEFORE route table. In addition the VPN IP Pool network (192.168.10.0/24) appears as a route with “On-link” listed as the Gateway.
After the split tunnel acl change the individual 192.168.X.0 networks are now routed and the VPN IP Pool network (192.168.10.0/24) only appears as an “On-link” route.
The difference in the two route tables is the fact that the VPN IP Pool network (192.168.10.0/24) is listed only as a route with “On-link” as the gateway when that network is omitted from the split tunnel acl.
The Cisco documentation states that “With AnyConnect, the client passes traffic to all sites specified in the split tunneling policy you configured, and to all sites that fall within the same subnet as the IP address assigned by the ASA.
Based on my test results this statement does not appear to be correct. After I remove the VPN IP Pool network from the split tunnel acl traffic destined for the VPN IP Pool (192.168.10.0/24) no longer traverses the tunnel.
Any ideas why this is occurring?
BEFORE the split tunnel acl change the VPN client route table would appear as follows:
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...