<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00008ch8QuSAIOkta Classic EngineAdministrationAnswered2026-04-01T09:00:20.000Z2020-06-02T18:09:09.000Z2020-06-08T12:52:57.000Z

MischkaP.72923 (Customer) asked a question.

June 2, 2020 at 6:09 PM
How to get Okta to see split tunnel VPN as on network

Hello we have a split tunnel VPN and I am getting interdicted with off netowork MFA that I set up even though we have implemented the instructions to push okta traffic over the VPN. Why are the apps still interdicting as if I am off network even when I am connected to the VPN. We are using Cisco ASA. We have already explored:

https://help.okta.com/en/prod/Content/Topics/Apps/Apps_VPN_Notification.htm

https://help.okta.com/en/prod/Content/Topics/Security/Firewall_Whitelisting.htm

  • 2 answers
  • 1.81K views

  • k5fuw (k5fuw)

    Use the Okta system log to view your IP address when you connect to Okta, to determine if your connection is going out through the VPN connection. If it is AND if that IP address is in your "on network" list AND that list is used in a sign-in rule to control the MFA requirement, then it should work.

     

    We also have Cisco ASA, and I have several app-level sign-in rules that prompt the user for MFA when they're off network. It's not a split-tunnel configuration, but that's really irrelevant. All that matters is the IP address that Okta sees when you sign-in.

    Expand Post

  • MischkaP.72923 (Customer)

    Mike thank you - our engineerts determined that there was another layer to this:

    1. They added the IPs to the ACL on the Cisco ASA - these were the IPs associated with our original org URL
    2. They chatted with Cisco and determined that we also needed to add the IPs to the NAT statement
    3. After completing steps # 1 and 2 the issue still persisted
    4. At that time we determined that the IPs did not cover our custom URL
    5. After adding the custom URL IPs to the statement the issue was fixed.
    6. Here are the things that had to be done:
    • Create the object group
      • AD IPs to the object group
      • Nat statement
      • ACL

     

    Expand Post
This question is closed.
Loading
How to get Okta to see split tunnel VPN as on network