The Cisco ASA allows applications to be dynamically excluded from an AnyConnect Remote Access VPN tunnel by specifying a list of domain names. This is useful when an organisation does not wish to tunnel real-time voice/video applications such as Webex, Microsoft Teams/Office 365 etc back to the VPN headend device.
With Dynamic Split tunnelling, when the client communicates with the DNS domain name listed in the dynamic split tunnel list, AnyConnect will dynamically identify the IP address associated with the domain and exclude the traffic from the VPN tunnel. All other traffic not specified is tunnelled to the ASA as normal.
This post does not cover configuring all the remote access VPN settings, only the configuration relating to setting up Dynamic Split tunnelling.
ASA Configuration (CLI)
The following configuration was tested on ASA version 9.12(3)9.
Define the anyconnect custom attribute called dynamic-split-exclude-domains globally under WebVPN context.
webvpn anyconnect-custom-attr dynamic-split-exclude-domains description Exclusion list
Create a list, in this instance called EXCLUDE, define each DNS domain name with a comma after the DNS domain name. IT IS IMPORTANT TO REMEMBER THE COMMA.
anyconnect-custom-data dynamic-split-exclude-domains EXCLUDE outlook.com, anyconnect-custom-data dynamic-split-exclude-domains EXCLUDE office.com, anyconnect-custom-data dynamic-split-exclude-domains EXCLUDE office365.com, anyconnect-custom-data dynamic-split-exclude-domains EXCLUDE teams.microsoft.com, anyconnect-custom-data dynamic-split-exclude-domains EXCLUDE live.com, anyconnect-custom-data dynamic-split-exclude-domains EXCLUDE lync.com, anyconnect-custom-data dynamic-split-exclude-domains EXCLUDE webex.com, anyconnect-custom-data dynamic-split-exclude-domains EXCLUDE ciscospark.com, anyconnect-custom-data dynamic-split-exclude-domains EXCLUDE wbx2.com
Modify the group-policy assigned to the tunnel-group (connection profile), reference the dynamic split tunnel exclusion list EXCLUDE.
group-policy RAVPN attributes anyconnect-custom dynamic-split-exclude-domains value EXCLUDE
Verification
- Login to a laptop and authenticate to the VPN
- Open the AnyConnect Advanced Window
- Click the Statistics tab
When Dynamic Split Tunnelling is configured the AnyConnect client should list the Dynamic Tunnel Exclusions
- Click the Route Details tab
Notice currently there is only the Secured Routes of 0.0.0.0/0
- Send some traffic to any of the DNS domain names specified in the Dynamic Exclusion list., such as Webex.com, ciscospark.com etc
Whenever the client computer communicates with a DNS domain name as defined in the Dynamic Exclusion list, AnyConnect will automatically add the IP address as a non-secured route, the traffic will not be tunnelled back to the ASA.
Modifying the exclusion list
There does not currently appear to be a way to edit (add/remove) DNS domain names to the exclusion list.
The only known method is removing the configuration under the group-policy and deleting the exclusion list before re-adding the commands as defined above.
group-policy RAVPN-GP attributes no anyconnect-custom dynamic-split-exclude-domains ! no anyconnect-custom-data dynamic-split-exclude-domains EXCLUDE