Cisco Cisco AnyConnect Secure Mobility Client v2.x Technical Manual
Cisco recommends that you have knowledge of these topics:
ASA or IOS/IOS-XE headend
●
Endpoint running the AnyConnect VPN client and OpenDNS Roaming client
●
Components Used
The information in this document is based on these software and hardware versions:
ASA headend running release 9.4
●
Windows 7
●
AnyConnect client 4.2.00096
●
OpenDNS Roaming client 2.0.154
●
The information in this document was created from the devices in a specific lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.
Background Information
OpenDNS is developing an AnyConnect plugin with the Cisco AnyConnect team to be available in
the future. While no dates have been set, this integration will allow the Roaming Client to work with
the AnyConnect client without the workarounds addressed. This will also enable AnyConnect to be
a delivery mechanism for the Roaming Client.
the future. While no dates have been set, this integration will allow the Roaming Client to work with
the AnyConnect client without the workarounds addressed. This will also enable AnyConnect to be
a delivery mechanism for the Roaming Client.
Functionality
AnyConnect DNS handling
The VPN headend can be configured in a couple different ways to handle traffic from the
AnyConnect client.
AnyConnect client.
Full tunnel configuration (tunnel-all): This forces all traffic from the endpoint to be sent across
the VPN tunnel encrypted, and therefore traffic never leaves the public interface adapter in
clear text
the VPN tunnel encrypted, and therefore traffic never leaves the public interface adapter in
clear text
1.
Split tunnel configuration:
2.
a. Split-include tunneling : Traffic destined only to specific subnets or hosts defined on the
VPN headend is sent across the tunnel, all other traffic is sent outside the tunnel in clear text
VPN headend is sent across the tunnel, all other traffic is sent outside the tunnel in clear text
b. Split-exclude tunneling: Traffic destined only to specific subnets or hosts defined on the
VPN headend is excluded from encryption and leaves the public interface in clear text, all
other traffic is encrypted and only sent across the tunnel
VPN headend is excluded from encryption and leaves the public interface in clear text, all
other traffic is encrypted and only sent across the tunnel
Each of these configurations determine how DNS resolution is handled by the AnyConnect client,
depending on the operating system on the endpoint. There has been a change in behavior in the
DNS handling mechanism on AnyConnect for Windows, in release 4.2 after the fix for
depending on the operating system on the endpoint. There has been a change in behavior in the
DNS handling mechanism on AnyConnect for Windows, in release 4.2 after the fix for
.