Solved: Split Tunnelling for specific external domains?

Antony Paul · ‎06-10-2019

Hello,

Environment - Cisco ASAv30 9.10(1) - Cisco AnyConnect VPN client 4.7

We have a requirement for our VPN users to access certain external resources (e.g. salesforce.com) but to appear to be coming from the ASA's external IP address.

This is because these websites are locked down to access from specific public IP addresses.

We already have basic split tunnelling enabled for corp internal networks. Is it possible to add on a domain to this somehow? We can't do this via IP as the services in question probably have frequently changing IP addresses.

Is this something that is possible with AnyConnect VPN, while allowing the rest of their internet traffic to go out directly via their own ISP?

Thank you in advance.

Mohammed al Baqari · ‎06-10-2019

Yes you can do this using dynamic split tunneling. See how to configure it
below

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#task_ydq_tbw_tz

**** Remember to rate useful posts

View solution in original post

Mohammed al Baqari · ‎06-10-2019

Yes you can do this using dynamic split tunneling. See how to configure it
below

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#task_ydq_tbw_tz

**** Remember to rate useful posts

Antony Paul · ‎06-11-2019

Thank you for the quick reply - much appreciated.

Antony Paul · ‎06-11-2019

I was reading your post here : https://community.cisco.com/t5/security-documents/dynamic-split-tunneling-in-anyconnect-vpn/ta-p/3773878

"The dynamic split tunneling exclusions address scenarios when traffic pertaining to a certain service needs to be excluded from the VPN tunnel "

And it reads as though if we wanted to exclude a domain form the tunnel we would use this feature, however we want to include a domain ( .salesforce.com) so that traffic destined for that domain does go over the VPN tunnel.