Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Prefix length and VPN on a stick

I currently have a remote "VPN on a stick" configuration setup on an ASA's "outside" interface that provides access to 2 networks on the same side. Hosts are setup in a split tunnel configuration so that only the 134.23/16 and 166.43/16 network traffic is sent to the VPN.

Example: (IPs changed)

(PRIVATE) -- ASA --router------------------- (Internet)  ----  Host (any ip) (anyconnect)

                                   |

                                   |------ 134.23.0.0/16

                                   |

                                   |------ 166.43.0.0/16 -------

                                                                      |

                                                                   router

                                                                      |

                                                                      ---------166.43.1.0/24-----

                                                                                                         |

                                                                                                         |

                                                                                                         ------ Host (166.43.1.3) (anyconnect)

Tunnel access-list:

access-list tunnel standard permit 166.43.0.0 255.255.0.0

access-list tunnel standard permit 134.23.0.0 255.255.0.0

Even though users can connect from the Internet, the configuration does not provide access to the Internet from the VPN (only access to the two other networks). The problem is that if a host connects from one of the two networks allowed by the VPN but from a "more specific" subnet in that network the client will follow normal routing rules and not pass traffic through the VPN because the prefix length is longer on the 166.43.1/24 subnet. I am able to add the following configuration to the tunnel to force traffic trough the VPN, but this would have to be done for all subnets with a larger prefix than the first two.

access-list tunnel standard permit 166.43.1.0 255.255.255.0

Is there a way to have the VPN anyconnect client force traffic destined for a network regardless on a more specific route that may exist on the client's machine? (This is done so that the traffic is encypted, even if the client can connect to the desired machine without the VPN)

Thanks!

Everyone's tags (3)
3 REPLIES
Cisco Employee

Prefix length and VPN on a stick

Do you need to configure split tunnel, or you can route everything via VPN even for Internet traffic.

If you disable split tunnel, then all traffic will be routed via the VPN tunnel when they are connected.

New Member

Prefix length and VPN on a stick

Split tunnel is setup, and for performance reasons we only tunnel traffic for the two /16 networks.

Cisco Employee

Prefix length and VPN on a stick

what is the vpn client pool that you assigned to the anyconnect?

369
Views
0
Helpful
3
Replies
CreatePlease login to create content