Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
0
Replies

Network Bypass in Network tunnel from Umbrella SIG to ASA

sameer.dy09
Level 1
Level 1

‎04-29-2023 03:19 AM

Hi, 

We have an existing Network Tunnel between ASA and Umbrella SIG , the tunnel is up and we can see the requests going to the tunnel. The SIG policy works fine when the traffic is using IPSec VPN tunnel, the documentation of Umbrella suggests to use PBR which is fine.( We are using Trusted Network Detection so cannot use SWG so we are using PBR to push VPN pool segment to SIG DC after remote access VPN is connected )

I have a situation in which I need to exempt the MS office/specific URLs/FQDNs to be exempted from the IPSec VPN. So it put a Deny statement on line 1 like as below

access-list umbrella-acl line 1 extended deny ip any object-group block-list

access-list umbrella-acl line 2 permit ip object-group ( VPN pool) any 

route-map umbrella PBR permit 100

match ip address umbrella-acl

set ip next hop ....

The below statement when put under route-map only works for deny statement , the next acl never gets evaluated. I tried using 2 different route-map but the deny is never getting hit

Not sure if it is a BUG or documentation is incorrect from Umbrella engineering team. Also I note that ASA will prefer to use standard ACL rather than extended and it gives a warning when using extended as destination any will not have any effect on route-map

 

Regards,

Sameer

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents