From 8626fb3ecc5ea6572476f306ab30dd0eb54bd45f Mon Sep 17 00:00:00 2001 From: deadlypants1973 Date: Thu, 18 Dec 2025 12:21:22 +0000 Subject: [PATCH 1/2] [CF1] Cisco AnyConnect and WARP interoperability --- .../devices/warp/deployment/cisco.mdx | 743 ++++++++++++++++++ 1 file changed, 743 insertions(+) create mode 100644 src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/cisco.mdx diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/cisco.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/cisco.mdx new file mode 100644 index 000000000000000..8d155771d1ad8d4 --- /dev/null +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/cisco.mdx @@ -0,0 +1,743 @@ +--- +pcx_content_type: how-to +title: WARP with Cisco AnyConnect +--- + +import { Details, Render } from "~/components"; + +This guide clarifies key concepts for configuring Cloudflare WARP alongside Cisco AnyConnect. It addresses how WARP handles DNS and routing decisions. + +## 1. Prerequisites + +### Core interoperability principles + +Running Cisco AnyConnect and WARP simultaneously requires careful configuration. Adhere to these fundamental rules: + +- Single DNS authority: Only one service (Cloudflare or your existing provider) should actively manage DNS resolution and filtering. +- Single default route owner: Never configure both WARP and Cisco AnyConnect to establish a Full Tunnel. This creates a tunnel-in-a-tunnel conflict. +- Mutual exclusion: Any traffic you configure to go through the Cloudflare WARP tunnel (for example, private subnets) must be explicitly excluded from the Cisco AnyConnect configuration, and vice versa. + +### WARP tunnel terminology + +The following table maps common industry tunneling terms to Cloudflare WARP terminology and explains how each routing model affects traffic flow. + +| Concept | Industry term | Cloudflare WARP term | WARP behavior | +|--------|---------------|----------------------|-------------| +| Routing all traffic | Full tunnel | Exclude mode | WARP asserts precedence over the default route. All traffic goes through WARP except specified exclusions. | +| Routing specific traffic | Split tunnel | Include mode | WARP does not create a default route. Only traffic explicitly defined in the Include list enters the tunnel. | + +Refer to [Split Tunnels](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) to review how to select a WARP mode in the Cloudflare One dashboard or through Terraform. + +### Default routes + +In networking, the default route dictates where traffic flows when no other specific path is defined. Instead of adding a literal `0.0.0.0/0` entry to the routing table, which is a common industry practice, WARP calculates the entire IP address space, subtracts any configured exclusions, and creates high-priority routes for all remaining subnets. + +### Supported tunnel configurations + +The following table outlines the supported tunnel configurations. + +| Cloudflare WARP tunnel mode | Cisco VPN tunnel mode | Compatibility | +|-----------------------------|-----------------------|---------------| +| Include mode (Split tunnel) | Split tunnel | ✅ Supported | +| Exclude mode (Full tunnel) | Split tunnel | ✅ Supported | +| Include mode (Split tunnel) | Full tunnel | ✅ Supported | +| Exclude mode (Full tunnel) | Full tunnel | ❌ Not supported | + +Running WARP in Exclude mode (Full tunnel) and Cisco AnyConnect as a full tunnel at the same time will lead to a tunnel-in-a-tunnel conflict. Explain what tunnel-in-a-tunnel is. + +### WARP modes + +WARP operates in several modes, each with different traffic handling capabilities: + + + +## 2. WARP mode decision matrix + +Your decisions on which service actively manages DNS and how you want to route network traffic will determine the correct WARP mode and configuration approach for your environment. + +```mermaid +flowchart TD + A{"Do you want to filter DNS?"} + + A -- Yes --> B{"Do you want to use your existing provider or Cloudflare for DNS filtering?"} + A -- No --> C{"Do you want IP-based or application-based filtering?"} + + B -- Cloudflare --> D{"Do you want network and HTTP filtering?"} + B -- Existing provider --> C + + D -- No --> E["Gateway with DoH"] + D -- Yes --> F["Gateway with WARP"] + + E --> E1["No WARP tunnel setup, configure Cisco AnyConnect tunnel as needed"] + + C -- IP --> G["Secure Web Gateway without DNS filtering (Tunnel-only)"] + C -- Application --> H["Proxy mode"] + + H --> H1["Configure applications you want to direct to WARP"] + + %% Routing decision applies when WARP tunnel is active + F --> I{"Where does random traffic (0.0.0.0/0) go?"} + G --> I + + I -- Internet --> J["Set WARP tunnel to Include (split tunnel) mode"] + J --> J1["Cisco must be split tunnel"] + + I -- WARP --> K["Set WARP tunnel to Exclude (full tunnel) mode"] + K --> K1["Cisco must be split tunnel"] + + I -- Cisco AnyConnect --> L["Set WARP tunnel to Include (split tunnel) mode"] + L --> L1["Cisco can be full tunnel or split tunnel"] +``` +```mermaid +flowchart TD + A{"Do you want to filter DNS?"} + + A -- Yes --> B{"Do you want to use your existing provider or Cloudflare for DNS filtering?"} + A -- No --> C{"Do you want IP-based or application-based filtering?"} + + B -- Cloudflare --> D{"Do you want network and HTTP filtering?"} + B -- Existing provider --> C + + D -- No --> E["Gateway with DoH"] + D -- Yes --> F["Gateway with WARP"] + + E --> E1["No WARP tunnel setup, configure Cisco AnyConnect tunnel as needed"] + + C -- IP --> G["Secure Web Gateway without DNS filtering (Tunnel-only)"] + C -- Application --> H["Proxy mode"] + + H --> H1["Configure applications you want to direct to WARP"] + + %% Routing decision applies when WARP tunnel is active + F --> I{"Where does random traffic (0.0.0.0/0) go?"} + G --> I + + I -- Internet --> J["Set WARP tunnel to Include (split tunnel) mode"] + I -- WARP --> K["Set WARP tunnel to Exclude (full tunnel) mode"] + + %% Shared constraint + J --> S["Cisco must be split tunnel"] + K --> S + + I -- Cisco AnyConnect --> L["Set WARP tunnel to Include (split tunnel) mode"] + L --> L1["Cisco can be full tunnel or split tunnel"] + +``` + +## 3. Configuration instructions by WARP mode + +The following sections display Cisco AnyConnect and Cloudflare configuration instructions for each WARP mode. + +- [Gateway with DoH](#gateway-with-doh) (DNS Handled by WARP, No IP Tunnel) +- [Gateway with WARP](#gateway-with-warp) (DNS Handled by WARP, IP Tunnel) +- [Secure Web Gateway without DNS Filtering](#secure-web-gateway-without-dns-filtering-tunnel-only) (IP Tunnel Only) +- [Proxy mode](#proxy-mode) (Application-based filtering) + +### Implementation considerations + +#### Exclude Cloudflare endpoints from AnyConnect configuration + +Regardless of what WARP mode you use, you must always exclude the following Cloudflare endpoints from the Cisco AnyConnect tunnel to ensure proper interoperability: + +- Client orchestration API +- DoH IPs +- Client authentication endpoint +- Captive portal + +Additional exclusions may be required based on your desired WARP mode and are listed in this document for each WARP mode. There are other Cloudflare endpoints you may want to exclude for security or functionality reasons, but they are not critical to the operation of the WARP client. For more information about Cloudflare WARP operability with firewalls, refer to [WARP with firewall](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/). + +#### Configure routing for WARP and Cisco AnyConnect tunnels + +:::note + +This section only applies if you are using Gateway with WARP or Secure Web Gateway without DNS Filtering (Tunnel Only) modes. + +::: + +The Gateway with WARP and Secure Web Gateway without DNS Filtering (Tunnel Only) modes both provide IP filtering capabilities. + +If you are using Gateway with WARP or Secure Web Gateway without DNS Filtering (Tunnel Only) mode for your WARP deployment, you must appropriately configure both the WARP client and the Cisco AnyConnect client to avoid conflicts. + +| Where 0.0.0.0/0 goes | Required WARP tunnel mode | Required Cisco AnyConnect mode | Outcome | +|---------------------|---------------------------|---------------------------------|---------| +| Internet (neither WARP nor Cisco) | Include mode | Split tunnel | Both clients are limited to specific routes; general internet traffic bypasses both tunnels. | +| WARP | Exclude mode | Split tunnel | WARP asserts the default route and captures all traffic not explicitly excluded. Any Cisco-routed traffic must be excluded from WARP. | +| Cisco AnyConnect | Include mode | Full tunnel or split tunnel | Cisco asserts the default route. WARP is used only for explicitly included traffic, which must be excluded from Cisco. | + +:::caution[Prevent tunnel in a tunnel errors] + +Do not configure both WARP and Cisco AnyConnect to assert the [default route](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#default-routes). This creates a ["tunnel in a tunnel" conflict](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#supported-tunnel-configurations). + +::: + +--- + +### Gateway with DoH + +Gateway with DNS-over-HTTPs (DoH) mode is ideal if you only require Cloudflare DNS filtering and policy enforcement. + +| Mode | DNS filtering | Network filtering | HTTP filtering | Function | +|------|---------------|--------------------------|-----------|----------| +| Gateway with DoH | Yes | No | No | DNS filtering only. Does not tunnel IP traffic.| + + +#### 1. Cisco AnyConnect Configuration + +The following steps must be taken in your Cisco AnyConnect configuration to ensure proper interoperability with Cloudflare WARP. + +##### 1.1. DNS + +Disable DNS configuration/filtering on the Cisco ASA, or ensure it is explicitly delegated to the system/WARP. + +##### 1.2. Tunnel + +Configure Cisco AnyConnect to deny (exclude) the following Cloudflare components from the VPN tunnel: + +
+ +The WARP client connects to Cloudflare via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow the following IPs and domains: + + + +Even though `zero-trust-client.cloudflareclient.com` and `notifications.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. + +
+ +To deploy WARP in FedRAMP High environments, you will need to allow a different set of IPs and domains through your firewall: + +- IPv4 API endpoints: `162.159.213.1` and `172.64.98.1` +- IPv6 API endpoints: `2606:54c1:11::` and `2a06:98c1:4b::` +- SNIs: `api.devices.fed.cloudflare.com` and `notifications.devices.fed.cloudflare.com` + +
+ +
+ +
+ +In [Gateway with DoH](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#gateway-with-doh) mode, the WARP client sends DNS requests to Gateway over an HTTPS connection. For DNS to work correctly, you must allow the following IPs and domains: + +- IPv4 DoH addresses: `162.159.36.1` and `162.159.46.1` +- IPv6 DoH addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001` +- SNIs: `.cloudflare-gateway.com` + +Even though `.cloudflare-gateway.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. + +
+To deploy WARP in FedRAMP High environments, you will need to allow a different set of IPs and domains through your firewall: + +- IPv4 DoH addresses: `172.64.100.3` and `172.64.101.3` +- IPv6 DoH addresses: `2606:54c1:13::2` +- SNIs: `.fed.cloudflare-gateway.com` +
+ +
+ +
+ +When you [log in to your Cloudflare One organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/), you will have to complete the authentication steps required by your organization in the browser window that opens. To perform these operations, you must allow the following domains: + +- The IdP used to authenticate to Cloudflare One +- `.cloudflareaccess.com` + +
+To deploy WARP in FedRAMP High environments, you will need to allow different domains through your firewall: + +- FedRAMP High IdP used to authenticate to Cloudflare One +- `.fed.cloudflareaccess.com`. + +
+ +
+ +
+ +The following domains are used as part of our captive portal check: + +- `cloudflareportal.com` +- `cloudflareok.com` +- `cloudflarecp.com` +- `www.msftconnecttest.com` +- `captive.apple.com` +- `connectivitycheck.gstatic.com` + +
+ +There are other Cloudflare endpoints you may want to exclude for security or functionality reasons, but they are not critical to the operation of the WARP client. Refer to the [WARP with firewall](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/) documentation for more information. + +#### 2. Cloudflare WARP Configuration + +The following steps must be taken in your Cloudflare One configuration to ensure proper interoperability with Cisco AnyConnect. + +##### 2.1 DNS + +Need Cloudflare-specific instructions here. + +##### 2.2 Tunnel + +No configuration is required. WARP does not create a tunnel in this mode, meaning no routing updates conflict with Cisco. + +Mode Verification: Verify your Device Profile service mode is set to Gateway with DoH. + +--- + +### Gateway with WARP + +Gateway with WARP mode is ideal if you require Cloudflare DNS filtering and policy enforcement, as well as IP/HTTP filtering. + +| Mode | DNS filtering | Network filtering | HTTP filtering | Function | +|------|---------------|--------------------------|-----------|----------| +| Gateway with WARP | Yes | Yes | Yes | DNS filtering and IP/HTTP filtering. Tunnels IP traffic.| + +#### 1. Cisco AnyConnect configuration + +The following steps must be taken in your Cisco AnyConnect configuration to ensure proper interoperability with Cloudflare WARP. + +##### 1.1 DNS + +Disable DNS configuration/filtering on the Cisco ASA, or ensure it is explicitly delegated to the system/WARP. + +##### 1.2 Tunnel + +###### 1.2.1 Set AnyConnect to Split tunnel or Full tunnel + +Set your AnyConnect client to Split tunnel or Full tunnel based on your [Routing decision matrix](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#configure-routing-for-warp-and-cisco-anyconnect-tunnels) choice. + +###### 1.2.2 Exclude Cloudflare endpoints from AnyConnect tunnel + +Configure Cisco AnyConnect to deny (exclude) the following Cloudflare components from the VPN tunnel: + +- Any IP addresses that you have configured to run through WARP tunnel +
+ +The WARP client connects to Cloudflare via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow the following IPs and domains: + + + +Even though `zero-trust-client.cloudflareclient.com` and `notifications.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. + +
+ +To deploy WARP in FedRAMP High environments, you will need to allow a different set of IPs and domains through your firewall: + +- IPv4 API endpoints: `162.159.213.1` and `172.64.98.1` +- IPv6 API endpoints: `2606:54c1:11::` and `2a06:98c1:4b::` +- SNIs: `api.devices.fed.cloudflare.com` and `notifications.devices.fed.cloudflare.com` + +
+ +
+ +
+ +In [Gateway with DoH](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#gateway-with-doh) mode, the WARP client sends DNS requests to Gateway over an HTTPS connection. For DNS to work correctly, you must allow the following IPs and domains: + +- IPv4 DoH addresses: `162.159.36.1` and `162.159.46.1` +- IPv6 DoH addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001` +- SNIs: `.cloudflare-gateway.com` + +Even though `.cloudflare-gateway.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. + +
+To deploy WARP in FedRAMP High environments, you will need to allow a different set of IPs and domains through your firewall: + +- IPv4 DoH addresses: `172.64.100.3` and `172.64.101.3` +- IPv6 DoH addresses: `2606:54c1:13::2` +- SNIs: `.fed.cloudflare-gateway.com` +
+ +
+ +
+ +When you [log in to your Cloudflare One organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/), you will have to complete the authentication steps required by your organization in the browser window that opens. To perform these operations, you must allow the following domains: + +- The IdP used to authenticate to Cloudflare One +- `.cloudflareaccess.com` + +
+To deploy WARP in FedRAMP High environments, you will need to allow different domains through your firewall: + +- FedRAMP High IdP used to authenticate to Cloudflare One +- `.fed.cloudflareaccess.com`. + +
+ +
+ +
+ +The following domains are used as part of our captive portal check: + +- `cloudflareportal.com` +- `cloudflareok.com` +- `cloudflarecp.com` +- `www.msftconnecttest.com` +- `captive.apple.com` +- `connectivitycheck.gstatic.com` + +
+ +
+ +**WireGuard** + +| | | +| -------------- | ------------------------------------------- | +| IPv4 address | `162.159.193.0/24` | +| IPv6 address | `2606:4700:100::/48` | +| Default port | `UDP 2408` | +| Fallback ports | `UDP 500`
`UDP 1701`
`UDP 4500` | + +**MASQUE** + +| | | +| -------------- | ------------------------------------------------------------------------------------------------------------------- | +| IPv4 address | `162.159.197.0/24` | +| IPv6 address | `2606:4700:102::/48` | +| Default port | `UDP 443` | +| Fallback ports | `UDP 500`
`UDP 1701`
`UDP 4500`
`UDP 4443`
`UDP 8443`
`UDP 8095`
`TCP 443` [^1] | + +[^1]: Required for HTTP/2 fallback + +:::note + +Before you [log in to your Cloudflare One organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/), you may see the IPv4 range `162.159.192.0/24`. This IP is used for consumer WARP ([1.1.1.1 w/ WARP](/warp-client/)) and is not required for Zero Trust services. +::: + +
+ +Devices will use the MASQUE protocol in FedRAMP High environments. To deploy WARP for FedRAMP High, you will need to allow the following IPs and ports: + +| | | +| -------------- | ------------------------------------------------------------------------------------------------------------------- | +| IPv4 address | `162.159.239.0/24` | +| IPv6 address | `2606:4700:105::/48` | +| Default port | `UDP 443` | +| Fallback ports | `UDP 500`
`UDP 1701`
`UDP 4500`
`UDP 4443`
`UDP 8443`
`UDP 8095`
`TCP 443` [^1] | + +[^1]: Required for HTTP/2 fallback + +
+ +
+ +There are other Cloudflare endpoints you may want to exclude for security or functionality reasons, but they are not critical to the operation of the WARP client. Refer to the [WARP with firewall](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/) documentation for more information. + +#### 2. Cloudflare WARP Configuration + +The following steps must be taken in your Cloudflare One configuration to ensure proper interoperability with Cisco AnyConnect. + +##### 2.1 Set WARP Split Tunnels mode + +Set your WARP Split Tunnels mode to Include (Split tunnel) or Exclude (Full tunnel) based on your [Routing decision matrix](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#configure-routing-for-warp-and-cisco-anyconnect-tunnels) choice. + + + +##### 2.2 Exclude Cisco endpoints from the WARP tunnel + +Add the following Cisco entries to the WARP Split Tunnel Exclude list: + +- The Public IP address of the Cisco firewall/VPN concentrator. +- The private IP range/subnet used by the Cisco AnyConnect client (the split tunnel configuration of AnyConnect). This prevents the WARP tunnel from interfering with Cisco's internal routes. + +--- + +### Secure Web Gateway without DNS Filtering (Tunnel only) + +Use Secure Web Gateway without DNS filtering (Tunnel only) mode when you need Cloudflare's IP/HTTP filtering capabilities but must retain your existing DNS provider. + +| Mode | DNS filtering | Network filtering | HTTP filtering | Function | +|------|---------------|--------------------------|-----------|----------| +| Secure Web Gateway without DNS Filtering (Tunnel Only) | No | Yes | Yes | IP/HTTP filtering only. Tunnels IP traffic.| + +#### 1. Cisco AnyConnect configuration + +The following steps must be taken in your Cisco AnyConnect configuration to ensure proper interoperability with Cloudflare WARP. + +##### 1.1 DNS + +No changes are needed to your existing DNS provider as Cloudflare will not be handling DNS filtering in this mode. + +##### 1.2.Tunnel + +###### 1.2.1 Set AnyConnect to Split tunnel or Full tunnel + +Set your AnyConnect client to Split tunnel or Full tunnel based on your [Routing decision matrix](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#configure-routing-for-warp-and-cisco-anyconnect-tunnels) choice. + +###### 1.2.2 Exclude Cloudflare endpoints from AnyConnect tunnel + +Configure Cisco AnyConnect to deny (exclude) the following Cloudflare components from the VPN tunnel: + +- Any IP addresses that you have configured to run through WARP tunnel +
+ +The WARP client connects to Cloudflare via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow the following IPs and domains: + + + +Even though `zero-trust-client.cloudflareclient.com` and `notifications.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. + +
+ +To deploy WARP in FedRAMP High environments, you will need to allow a different set of IPs and domains through your firewall: + +- IPv4 API endpoints: `162.159.213.1` and `172.64.98.1` +- IPv6 API endpoints: `2606:54c1:11::` and `2a06:98c1:4b::` +- SNIs: `api.devices.fed.cloudflare.com` and `notifications.devices.fed.cloudflare.com` + +
+ +
+ +
+ +In [Gateway with DoH](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#gateway-with-doh) mode, the WARP client sends DNS requests to Gateway over an HTTPS connection. For DNS to work correctly, you must allow the following IPs and domains: + +- IPv4 DoH addresses: `162.159.36.1` and `162.159.46.1` +- IPv6 DoH addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001` +- SNIs: `.cloudflare-gateway.com` + +Even though `.cloudflare-gateway.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. + +
+To deploy WARP in FedRAMP High environments, you will need to allow a different set of IPs and domains through your firewall: + +- IPv4 DoH addresses: `172.64.100.3` and `172.64.101.3` +- IPv6 DoH addresses: `2606:54c1:13::2` +- SNIs: `.fed.cloudflare-gateway.com` +
+ +
+ +
+ +When you [log in to your Cloudflare One organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/), you will have to complete the authentication steps required by your organization in the browser window that opens. To perform these operations, you must allow the following domains: + +- The IdP used to authenticate to Cloudflare One +- `.cloudflareaccess.com` + +
+To deploy WARP in FedRAMP High environments, you will need to allow different domains through your firewall: + +- FedRAMP High IdP used to authenticate to Cloudflare One +- `.fed.cloudflareaccess.com`. + +
+ +
+ +
+ +The following domains are used as part of our captive portal check: + +- `cloudflareportal.com` +- `cloudflareok.com` +- `cloudflarecp.com` +- `www.msftconnecttest.com` +- `captive.apple.com` +- `connectivitycheck.gstatic.com` + +
+ +
+ +**WireGuard** + +| | | +| -------------- | ------------------------------------------- | +| IPv4 address | `162.159.193.0/24` | +| IPv6 address | `2606:4700:100::/48` | +| Default port | `UDP 2408` | +| Fallback ports | `UDP 500`
`UDP 1701`
`UDP 4500` | + +**MASQUE** + +| | | +| -------------- | ------------------------------------------------------------------------------------------------------------------- | +| IPv4 address | `162.159.197.0/24` | +| IPv6 address | `2606:4700:102::/48` | +| Default port | `UDP 443` | +| Fallback ports | `UDP 500`
`UDP 1701`
`UDP 4500`
`UDP 4443`
`UDP 8443`
`UDP 8095`
`TCP 443` [^1] | + +[^1]: Required for HTTP/2 fallback + +:::note + +Before you [log in to your Cloudflare One organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/), you may see the IPv4 range `162.159.192.0/24`. This IP is used for consumer WARP ([1.1.1.1 w/ WARP](/warp-client/)) and is not required for Zero Trust services. +::: + +
+ +Devices will use the MASQUE protocol in FedRAMP High environments. To deploy WARP for FedRAMP High, you will need to allow the following IPs and ports: + +| | | +| -------------- | ------------------------------------------------------------------------------------------------------------------- | +| IPv4 address | `162.159.239.0/24` | +| IPv6 address | `2606:4700:105::/48` | +| Default port | `UDP 443` | +| Fallback ports | `UDP 500`
`UDP 1701`
`UDP 4500`
`UDP 4443`
`UDP 8443`
`UDP 8095`
`TCP 443` [^1] | + +[^1]: Required for HTTP/2 fallback + +
+ +
+ +There are other Cloudflare endpoints you may want to exclude for security or functionality reasons, but they are not critical to the operation of the WARP client. Refer to the [WARP with firewall](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/) documentation for more information. + +#### 2. Cloudflare WARP configuration + +The following steps must be taken in your Cloudflare One configuration to ensure proper interoperability with Cisco AnyConnect. + +##### 2.1 Set WARP Split Tunnels mode + +Set your WARP Split Tunnels mode to Include (Split tunnel) or Exclude (Full tunnel) based on your [Routing decision matrix](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#configure-routing-for-warp-and-cisco-anyconnect-tunnels) choice. + + + +##### 2.2 Add Cisco endpoint exclusions + +Add the following Cisco entries to the WARP Split Tunnel Exclude list: + +- The Public IP address of the Cisco firewall/VPN concentrator. +- The private IP range/subnet used by the Cisco AnyConnect client (the split tunnel configuration of AnyConnect). This prevents the WARP tunnel from interfering with Cisco's internal routes. + +--- + +### Proxy mode + +Proxy mode is best suited for organizations that want to filter traffic originating from specific applications. + +| Mode | DNS filtering | Network filtering | HTTP filtering | Function | +|------|---------------|--------------------------|-----------|----------| +| Proxy mode | No | No | Yes | Routes HTTP traffic on a per-application or OS basis.| + +#### 1. Cisco AnyConnect configuration + +The following steps must be taken in your Cisco AnyConnect configuration to ensure proper interoperability with Cloudflare WARP. + +##### 1.1 DNS + +No changes are needed to your existing DNS provider as Cloudflare will not be handling DNS filtering in this mode. + +##### 1.2 Tunnel + +Configure Cisco AnyConnect to deny (exclude) the following Cloudflare components from the VPN tunnel: + +
+ +The WARP client connects to Cloudflare via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow the following IPs and domains: + + + +Even though `zero-trust-client.cloudflareclient.com` and `notifications.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. + +
+ +To deploy WARP in FedRAMP High environments, you will need to allow a different set of IPs and domains through your firewall: + +- IPv4 API endpoints: `162.159.213.1` and `172.64.98.1` +- IPv6 API endpoints: `2606:54c1:11::` and `2a06:98c1:4b::` +- SNIs: `api.devices.fed.cloudflare.com` and `notifications.devices.fed.cloudflare.com` + +
+ +
+ +
+ +In [Gateway with DoH](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#gateway-with-doh) mode, the WARP client sends DNS requests to Gateway over an HTTPS connection. For DNS to work correctly, you must allow the following IPs and domains: + +- IPv4 DoH addresses: `162.159.36.1` and `162.159.46.1` +- IPv6 DoH addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001` +- SNIs: `.cloudflare-gateway.com` + +Even though `.cloudflare-gateway.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. + +
+To deploy WARP in FedRAMP High environments, you will need to allow a different set of IPs and domains through your firewall: + +- IPv4 DoH addresses: `172.64.100.3` and `172.64.101.3` +- IPv6 DoH addresses: `2606:54c1:13::2` +- SNIs: `.fed.cloudflare-gateway.com` +
+ +
+ +
+ +When you [log in to your Cloudflare One organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/), you will have to complete the authentication steps required by your organization in the browser window that opens. To perform these operations, you must allow the following domains: + +- The IdP used to authenticate to Cloudflare One +- `.cloudflareaccess.com` + +
+To deploy WARP in FedRAMP High environments, you will need to allow different domains through your firewall: + +- FedRAMP High IdP used to authenticate to Cloudflare One +- `.fed.cloudflareaccess.com`. + +
+ +
+ +
+ +The following domains are used as part of our captive portal check: + +- `cloudflareportal.com` +- `cloudflareok.com` +- `cloudflarecp.com` +- `www.msftconnecttest.com` +- `captive.apple.com` +- `connectivitycheck.gstatic.com` + +
+ +
+ +Proxy mode only uses MASQUE, so exclude MASQUE endpoints only. + +| | | +| -------------- | ------------------------------------------------------------------------------------------------------------------- | +| IPv4 address | `162.159.197.0/24` | +| IPv6 address | `2606:4700:102::/48` | +| Default port | `UDP 443` | +| Fallback ports | `UDP 500`
`UDP 1701`
`UDP 4500`
`UDP 4443`
`UDP 8443`
`UDP 8095`
`TCP 443` [^1] | + +[^1]: Required for HTTP/2 fallback + +:::note + +Before you [log in to your Cloudflare One organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/), you may see the IPv4 range `162.159.192.0/24`. This IP is used for consumer WARP ([1.1.1.1 w/ WARP](/warp-client/)) and is not required for Zero Trust services. +::: + +
+ +Devices will use the MASQUE protocol in FedRAMP High environments. To deploy WARP for FedRAMP High, you will need to allow the following IPs and ports: + +| | | +| -------------- | ------------------------------------------------------------------------------------------------------------------- | +| IPv4 address | `162.159.239.0/24` | +| IPv6 address | `2606:4700:105::/48` | +| Default port | `UDP 443` | +| Fallback ports | `UDP 500`
`UDP 1701`
`UDP 4500`
`UDP 4443`
`UDP 8443`
`UDP 8095`
`TCP 443` [^1] | + +[^1]: Required for HTTP/2 fallback + +
+ +
+ +There are other Cloudflare endpoints you may want to exclude for security or functionality reasons, but they are not critical to the operation of the WARP client. Refer to the [WARP with firewall](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/) documentation for more information. + +#### Cloudflare WARP configuration + +The following steps must be taken in your Cloudflare One configuration to ensure proper interoperability with Cisco AnyConnect. + +TODO: Need instructions on how to set up proxy mode. + +--- + + From 9d233ad1bf732798f55fdacadbf590f8c131e152 Mon Sep 17 00:00:00 2001 From: deadlypants1973 Date: Fri, 19 Dec 2025 15:10:41 +0000 Subject: [PATCH 2/2] final updates to first draft --- .../devices/warp/deployment/cisco.mdx | 232 ++++++++---------- .../warp/change-split-tunnels-mode.mdx | 2 +- .../cisco/default-route-routing-table.mdx | 5 + .../warp/cisco/exclude-include-definition.mdx | 5 + 4 files changed, 113 insertions(+), 131 deletions(-) create mode 100644 src/content/partials/cloudflare-one/warp/cisco/default-route-routing-table.mdx create mode 100644 src/content/partials/cloudflare-one/warp/cisco/exclude-include-definition.mdx diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/cisco.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/cisco.mdx index 8d155771d1ad8d4..54a3df6a78a8b0a 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/cisco.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/cisco.mdx @@ -5,16 +5,18 @@ title: WARP with Cisco AnyConnect import { Details, Render } from "~/components"; -This guide clarifies key concepts for configuring Cloudflare WARP alongside Cisco AnyConnect. It addresses how WARP handles DNS and routing decisions. +This guide clarifies key concepts for configuring Cloudflare WARP alongside Cisco AnyConnect. This document addresses how WARP handles DNS and routing decisions. ## 1. Prerequisites +- Read the [Get started guide](/cloudflare-one/setup/) to set up a Cloudflare account and create a Zero Trust organization. + ### Core interoperability principles Running Cisco AnyConnect and WARP simultaneously requires careful configuration. Adhere to these fundamental rules: - Single DNS authority: Only one service (Cloudflare or your existing provider) should actively manage DNS resolution and filtering. -- Single default route owner: Never configure both WARP and Cisco AnyConnect to establish a Full Tunnel. This creates a tunnel-in-a-tunnel conflict. +- Single default route owner: Never configure both WARP and Cisco AnyConnect to establish a Full Tunnel. - Mutual exclusion: Any traffic you configure to go through the Cloudflare WARP tunnel (for example, private subnets) must be explicitly excluded from the Cisco AnyConnect configuration, and vice versa. ### WARP tunnel terminology @@ -23,8 +25,8 @@ The following table maps common industry tunneling terms to Cloudflare WARP term | Concept | Industry term | Cloudflare WARP term | WARP behavior | |--------|---------------|----------------------|-------------| -| Routing all traffic | Full tunnel | Exclude mode | WARP asserts precedence over the default route. All traffic goes through WARP except specified exclusions. | -| Routing specific traffic | Split tunnel | Include mode | WARP does not create a default route. Only traffic explicitly defined in the Include list enters the tunnel. | +| Routing all traffic | Full tunnel | Exclude IPs and domains | WARP asserts precedence over the default route. All traffic goes through WARP tunnel except specified exclusions. | +| Routing specific traffic | Split tunnel | Include IPs and domains | WARP does not assert precedence over the default route. Only traffic explicitly defined in the Include list enters the WARP tunnel. | Refer to [Split Tunnels](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) to review how to select a WARP mode in the Cloudflare One dashboard or through Terraform. @@ -32,18 +34,22 @@ Refer to [Split Tunnels](/cloudflare-one/team-and-resources/devices/warp/configu In networking, the default route dictates where traffic flows when no other specific path is defined. Instead of adding a literal `0.0.0.0/0` entry to the routing table, which is a common industry practice, WARP calculates the entire IP address space, subtracts any configured exclusions, and creates high-priority routes for all remaining subnets. -### Supported tunnel configurations +### Supported routing combinations -The following table outlines the supported tunnel configurations. +The following table outlines the supported routing combinations. -| Cloudflare WARP tunnel mode | Cisco VPN tunnel mode | Compatibility | +| Cloudflare WARP | Cisco VPN | Compatibility | |-----------------------------|-----------------------|---------------| -| Include mode (Split tunnel) | Split tunnel | ✅ Supported | -| Exclude mode (Full tunnel) | Split tunnel | ✅ Supported | -| Include mode (Split tunnel) | Full tunnel | ✅ Supported | -| Exclude mode (Full tunnel) | Full tunnel | ❌ Not supported | +| Include IPs and domains | Split tunnel | ✅ Supported | +| Exclude IPs and domains | Split tunnel | ✅ Supported | +| Include IPs and domains | Full tunnel | ✅ Supported | +| Exclude IPs and domains | Full tunnel | ❌ Not supported | + + + +Running WARP in `Exclude IPs and domains` (essentially, a full tunnel) and Cisco AnyConnect as a full tunnel at the same time will lead to a tunnel-in-a-tunnel conflict. -Running WARP in Exclude mode (Full tunnel) and Cisco AnyConnect as a full tunnel at the same time will lead to a tunnel-in-a-tunnel conflict. Explain what tunnel-in-a-tunnel is. +A tunnel-in-a-tunnel conflict occurs when the destination of one tunnel is configured in the other tunnel. For example, Cisco AnyConnect is configured for a full tunnel and is not configured to exclude the [WARP ingress IPs](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/#warp-ingress-ip). Similarly, WARP is configured to `Exclude IPs and domains` but is not configured to exclude the public IP address of the Cisco AnyConnect firewall. ### WARP modes @@ -65,63 +71,52 @@ flowchart TD B -- Cloudflare --> D{"Do you want network and HTTP filtering?"} B -- Existing provider --> C - D -- No --> E["Gateway with DoH"] - D -- Yes --> F["Gateway with WARP"] - - E --> E1["No WARP tunnel setup, configure Cisco AnyConnect tunnel as needed"] - - C -- IP --> G["Secure Web Gateway without DNS filtering (Tunnel-only)"] - C -- Application --> H["Proxy mode"] - - H --> H1["Configure applications you want to direct to WARP"] - - %% Routing decision applies when WARP tunnel is active - F --> I{"Where does random traffic (0.0.0.0/0) go?"} - G --> I - - I -- Internet --> J["Set WARP tunnel to Include (split tunnel) mode"] - J --> J1["Cisco must be split tunnel"] - - I -- WARP --> K["Set WARP tunnel to Exclude (full tunnel) mode"] - K --> K1["Cisco must be split tunnel"] - - I -- Cisco AnyConnect --> L["Set WARP tunnel to Include (split tunnel) mode"] - L --> L1["Cisco can be full tunnel or split tunnel"] -``` -```mermaid -flowchart TD - A{"Do you want to filter DNS?"} - - A -- Yes --> B{"Do you want to use your existing provider or Cloudflare for DNS filtering?"} - A -- No --> C{"Do you want IP-based or application-based filtering?"} - - B -- Cloudflare --> D{"Do you want network and HTTP filtering?"} - B -- Existing provider --> C + %% WARP modes (internal label) + subgraph WM[" "] + direction TB + WMLabel["WARP modes"]:::sgLabel + E["**Gateway with DoH**"] + F["**Gateway with WARP**"] + G["**Secure Web Gateway without DNS filtering (Tunnel-only)**"] + H["**Proxy mode**"] + end - D -- No --> E["Gateway with DoH"] - D -- Yes --> F["Gateway with WARP"] + D -- No --> E + D -- Yes --> F - E --> E1["No WARP tunnel setup, configure Cisco AnyConnect tunnel as needed"] + E --> E1["No WARP tunnel setup, configure Cisco AnyConnect as required"] - C -- IP --> G["Secure Web Gateway without DNS filtering (Tunnel-only)"] - C -- Application --> H["Proxy mode"] + C -- IP --> G + C -- Application --> H - H --> H1["Configure applications you want to direct to WARP"] + H --> H1["Configure applications you want to direct to WARP, configure Cisco AnyConnect as required"] %% Routing decision applies when WARP tunnel is active - F --> I{"Where does random traffic (0.0.0.0/0) go?"} + F --> I{"Where is the destination of the default route?"} G --> I - I -- Internet --> J["Set WARP tunnel to Include (split tunnel) mode"] - I -- WARP --> K["Set WARP tunnel to Exclude (full tunnel) mode"] + %% WARP Split Tunnels (internal label) + subgraph ST[" "] + direction TB + STLabel["WARP Split Tunnels"]:::sgLabel + J["Set WARP tunnel to **Include IPs and domains** (split tunnel)"] + K["Set WARP tunnel to **Exclude IPs and domains** (full tunnel)"] + L["Set WARP tunnel to **Include IPs and domains** (split tunnel)"] + end + + I -- Internet --> J + I -- WARP --> K + I -- Cisco AnyConnect --> L %% Shared constraint J --> S["Cisco must be split tunnel"] K --> S - I -- Cisco AnyConnect --> L["Set WARP tunnel to Include (split tunnel) mode"] L --> L1["Cisco can be full tunnel or split tunnel"] + %% Styling + classDef sgLabel font-weight:bold,stroke:none,fill:none; + ``` ## 3. Configuration instructions by WARP mode @@ -137,32 +132,29 @@ The following sections display Cisco AnyConnect and Cloudflare configuration ins #### Exclude Cloudflare endpoints from AnyConnect configuration -Regardless of what WARP mode you use, you must always exclude the following Cloudflare endpoints from the Cisco AnyConnect tunnel to ensure proper interoperability: +Regardless of what [WARP mode](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#warp-modes) you use, you must always exclude the following Cloudflare endpoints from the Cisco AnyConnect tunnel to ensure proper interoperability: -- Client orchestration API -- DoH IPs -- Client authentication endpoint -- Captive portal +- [Client orchestration API](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/#client-orchestration-api) +- [Client authentication endpoint](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/#client-authentication-endpoint) +- [Captive portal](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/#captive-portal) -Additional exclusions may be required based on your desired WARP mode and are listed in this document for each WARP mode. There are other Cloudflare endpoints you may want to exclude for security or functionality reasons, but they are not critical to the operation of the WARP client. For more information about Cloudflare WARP operability with firewalls, refer to [WARP with firewall](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/). +Additional exclusions may be required based on your desired WARP mode and are [listed in this document for each WARP mode](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#3-configuration-instructions-by-warp-mode). There are other Cloudflare endpoints you may want to exclude for security or functionality reasons, but they are not critical to the operation of the WARP client. For more information about Cloudflare WARP operability with firewalls, refer to [WARP with firewall](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/). #### Configure routing for WARP and Cisco AnyConnect tunnels :::note -This section only applies if you are using Gateway with WARP or Secure Web Gateway without DNS Filtering (Tunnel Only) modes. +This section only applies if you are using [Gateway with WARP](#gateway-with-warp) or [Secure Web Gateway without DNS Filtering (Tunnel Only)](#secure-web-gateway-without-dns-filtering-tunnel-only) modes. ::: -The Gateway with WARP and Secure Web Gateway without DNS Filtering (Tunnel Only) modes both provide IP filtering capabilities. +The [Gateway with WARP](#gateway-with-warp) and [Secure Web Gateway without DNS Filtering (Tunnel only)](#secure-web-gateway-without-dns-filtering-tunnel-only) modes both provide IP filtering capabilities. + +If you are using Gateway with WARP or Secure Web Gateway without DNS Filtering (Tunnel only) mode for your WARP deployment, you must appropriately configure both the WARP client and the Cisco AnyConnect client to avoid conflicts. -If you are using Gateway with WARP or Secure Web Gateway without DNS Filtering (Tunnel Only) mode for your WARP deployment, you must appropriately configure both the WARP client and the Cisco AnyConnect client to avoid conflicts. + -| Where 0.0.0.0/0 goes | Required WARP tunnel mode | Required Cisco AnyConnect mode | Outcome | -|---------------------|---------------------------|---------------------------------|---------| -| Internet (neither WARP nor Cisco) | Include mode | Split tunnel | Both clients are limited to specific routes; general internet traffic bypasses both tunnels. | -| WARP | Exclude mode | Split tunnel | WARP asserts the default route and captures all traffic not explicitly excluded. Any Cisco-routed traffic must be excluded from WARP. | -| Cisco AnyConnect | Include mode | Full tunnel or split tunnel | Cisco asserts the default route. WARP is used only for explicitly included traffic, which must be excluded from Cisco. | + :::caution[Prevent tunnel in a tunnel errors] @@ -187,11 +179,11 @@ The following steps must be taken in your Cisco AnyConnect configuration to ensu ##### 1.1. DNS -Disable DNS configuration/filtering on the Cisco ASA, or ensure it is explicitly delegated to the system/WARP. +Ensure Cisco AnyConnect does not manage or intercept DNS queries. This includes disabling DNS servers pushed by the VPN and disabling the Cisco Umbrella module (if installed), allowing Cloudflare WARP to control DNS resolution. ##### 1.2. Tunnel -Configure Cisco AnyConnect to deny (exclude) the following Cloudflare components from the VPN tunnel: +Configure Cisco AnyConnect to exclude the following Cloudflare components from the VPN tunnel:
@@ -265,20 +257,18 @@ The following domains are used as part of our captive portal check: There are other Cloudflare endpoints you may want to exclude for security or functionality reasons, but they are not critical to the operation of the WARP client. Refer to the [WARP with firewall](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/) documentation for more information. -#### 2. Cloudflare WARP Configuration +#### 2. Cloudflare WARP configuration The following steps must be taken in your Cloudflare One configuration to ensure proper interoperability with Cisco AnyConnect. ##### 2.1 DNS -Need Cloudflare-specific instructions here. +No configuration is required. WARP takes over DNS filtering. ##### 2.2 Tunnel No configuration is required. WARP does not create a tunnel in this mode, meaning no routing updates conflict with Cisco. -Mode Verification: Verify your Device Profile service mode is set to Gateway with DoH. - --- ### Gateway with WARP @@ -295,19 +285,25 @@ The following steps must be taken in your Cisco AnyConnect configuration to ensu ##### 1.1 DNS -Disable DNS configuration/filtering on the Cisco ASA, or ensure it is explicitly delegated to the system/WARP. +Ensure Cisco AnyConnect does not manage or intercept DNS queries. This includes disabling DNS servers pushed by the VPN and disabling the Cisco Umbrella module (if installed), allowing Cloudflare WARP to control DNS resolution. ##### 1.2 Tunnel -###### 1.2.1 Set AnyConnect to Split tunnel or Full tunnel +###### 1.2.1 TODO: Need a title for this section. + +TODO: Need a instructions on how to set up split tunnel in Cisco. -Set your AnyConnect client to Split tunnel or Full tunnel based on your [Routing decision matrix](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#configure-routing-for-warp-and-cisco-anyconnect-tunnels) choice. +Set your AnyConnect client to Split tunnel or Full tunnel based on your [routing preference](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#2-warp-mode-decision-matrix). Avoid [tunnel-in-a-tunnel](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#supported-routing-combinations) conflicts. + + ###### 1.2.2 Exclude Cloudflare endpoints from AnyConnect tunnel -Configure Cisco AnyConnect to deny (exclude) the following Cloudflare components from the VPN tunnel: +TODO: Need instructions on how to exclude Cloudflare endpoints from AnyConnect tunnel. -- Any IP addresses that you have configured to run through WARP tunnel +Configure Cisco AnyConnect to exclude the following Cloudflare components from the VPN tunnel: + +- Any networks that you have configured in the WARP tunnel
The WARP client connects to Cloudflare via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow the following IPs and domains: @@ -428,18 +424,22 @@ There are other Cloudflare endpoints you may want to exclude for security or fun The following steps must be taken in your Cloudflare One configuration to ensure proper interoperability with Cisco AnyConnect. -##### 2.1 Set WARP Split Tunnels mode +##### 2.1 Set WARP Split Tunnels + +Set your WARP Split Tunnels mode to `Include IPs and domains` or `Exclude IPs and domains` based on your [routing preference](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#2-warp-mode-decision-matrix). Avoid [tunnel-in-a-tunnel](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#supported-routing-combinations) conflicts. -Set your WARP Split Tunnels mode to Include (Split tunnel) or Exclude (Full tunnel) based on your [Routing decision matrix](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#configure-routing-for-warp-and-cisco-anyconnect-tunnels) choice. + ##### 2.2 Exclude Cisco endpoints from the WARP tunnel +TODO: Add instructions on how to exclude Cisco endpoints from the WARP tunnel. + Add the following Cisco entries to the WARP Split Tunnel Exclude list: - The Public IP address of the Cisco firewall/VPN concentrator. -- The private IP range/subnet used by the Cisco AnyConnect client (the split tunnel configuration of AnyConnect). This prevents the WARP tunnel from interfering with Cisco's internal routes. +- The IP networks configured as Secured Routes in Cisco AnyConnect. This prevents the WARP tunnel from interfering with the Cisco Secured Routes. --- @@ -461,13 +461,19 @@ No changes are needed to your existing DNS provider as Cloudflare will not be ha ##### 1.2.Tunnel -###### 1.2.1 Set AnyConnect to Split tunnel or Full tunnel +###### 1.2.1 TODO: Need a title for this + +TODO: Need instructions for this section. -Set your AnyConnect client to Split tunnel or Full tunnel based on your [Routing decision matrix](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#configure-routing-for-warp-and-cisco-anyconnect-tunnels) choice. +Set your AnyConnect client to Split tunnel or Full tunnel based on your [routing preference](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#2-warp-mode-decision-matrix). Avoid [tunnel-in-a-tunnel](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#supported-routing-combinations) conflicts. + + ###### 1.2.2 Exclude Cloudflare endpoints from AnyConnect tunnel -Configure Cisco AnyConnect to deny (exclude) the following Cloudflare components from the VPN tunnel: +TODO: Need instructions on how to do this. + +Configure Cisco AnyConnect to exclude the following Cloudflare components from the VPN tunnel: - Any IP addresses that you have configured to run through WARP tunnel
@@ -490,26 +496,6 @@ To deploy WARP in FedRAMP High environments, you will need to allow a different
-
- -In [Gateway with DoH](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#gateway-with-doh) mode, the WARP client sends DNS requests to Gateway over an HTTPS connection. For DNS to work correctly, you must allow the following IPs and domains: - -- IPv4 DoH addresses: `162.159.36.1` and `162.159.46.1` -- IPv6 DoH addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001` -- SNIs: `.cloudflare-gateway.com` - -Even though `.cloudflare-gateway.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. - -
-To deploy WARP in FedRAMP High environments, you will need to allow a different set of IPs and domains through your firewall: - -- IPv4 DoH addresses: `172.64.100.3` and `172.64.101.3` -- IPv6 DoH addresses: `2606:54c1:13::2` -- SNIs: `.fed.cloudflare-gateway.com` -
- -
-
When you [log in to your Cloudflare One organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/), you will have to complete the authentication steps required by your organization in the browser window that opens. To perform these operations, you must allow the following domains: @@ -592,16 +578,22 @@ The following steps must be taken in your Cloudflare One configuration to ensure ##### 2.1 Set WARP Split Tunnels mode -Set your WARP Split Tunnels mode to Include (Split tunnel) or Exclude (Full tunnel) based on your [Routing decision matrix](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#configure-routing-for-warp-and-cisco-anyconnect-tunnels) choice. +Set your WARP Split Tunnels mode to `Include IPs and domains` or `Exclude IPs and domains` based on your [routing preference](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#2-warp-mode-decision-matrix). Avoid [tunnel-in-a-tunnel](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#supported-routing-combinations) conflicts. + + + + ##### 2.2 Add Cisco endpoint exclusions +TODO: Need instructions for this section. + Add the following Cisco entries to the WARP Split Tunnel Exclude list: - The Public IP address of the Cisco firewall/VPN concentrator. -- The private IP range/subnet used by the Cisco AnyConnect client (the split tunnel configuration of AnyConnect). This prevents the WARP tunnel from interfering with Cisco's internal routes. +- The IP networks configured as Secured Routes in Cisco AnyConnect. This prevents the WARP tunnel from interfering with the Cisco Secured Routes. --- @@ -623,7 +615,7 @@ No changes are needed to your existing DNS provider as Cloudflare will not be ha ##### 1.2 Tunnel -Configure Cisco AnyConnect to deny (exclude) the following Cloudflare components from the VPN tunnel: +Configure Cisco AnyConnect to exclude the following Cloudflare components from the VPN tunnel:
@@ -645,26 +637,6 @@ To deploy WARP in FedRAMP High environments, you will need to allow a different
-
- -In [Gateway with DoH](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#gateway-with-doh) mode, the WARP client sends DNS requests to Gateway over an HTTPS connection. For DNS to work correctly, you must allow the following IPs and domains: - -- IPv4 DoH addresses: `162.159.36.1` and `162.159.46.1` -- IPv6 DoH addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001` -- SNIs: `.cloudflare-gateway.com` - -Even though `.cloudflare-gateway.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. - -
-To deploy WARP in FedRAMP High environments, you will need to allow a different set of IPs and domains through your firewall: - -- IPv4 DoH addresses: `172.64.100.3` and `172.64.101.3` -- IPv6 DoH addresses: `2606:54c1:13::2` -- SNIs: `.fed.cloudflare-gateway.com` -
- -
-
When you [log in to your Cloudflare One organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/), you will have to complete the authentication steps required by your organization in the browser window that opens. To perform these operations, you must allow the following domains: @@ -736,8 +708,8 @@ There are other Cloudflare endpoints you may want to exclude for security or fun The following steps must be taken in your Cloudflare One configuration to ensure proper interoperability with Cisco AnyConnect. -TODO: Need instructions on how to set up proxy mode. +TODO: add instructions on how to set up Proxy mode. --- - +TODO: Add possible edge cases and conclusion. diff --git a/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx b/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx index 8359d5176eadad9..917df4ae0ed3c5a 100644 --- a/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx +++ b/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx @@ -66,4 +66,4 @@ import { Tabs, TabItem } from "~/components"; -All clients with this device profile will now switch to the new mode and its default route configuration. Next, [add](#add-a-route) or [remove](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) routes from your Split Tunnel configuration. +All clients with this [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) will now switch to the new mode and its default route configuration. Next, [add](#add-a-route) or [remove](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) routes from your Split Tunnel configuration. diff --git a/src/content/partials/cloudflare-one/warp/cisco/default-route-routing-table.mdx b/src/content/partials/cloudflare-one/warp/cisco/default-route-routing-table.mdx new file mode 100644 index 000000000000000..dbe4767d3fb6be3 --- /dev/null +++ b/src/content/partials/cloudflare-one/warp/cisco/default-route-routing-table.mdx @@ -0,0 +1,5 @@ +| Where is the destination of the default route? | Required WARP configuration | Required Cisco AnyConnect configuration | Outcome | +|---------------------|---------------------------|---------------------------------|---------| +| Internet (neither WARP nor Cisco) | Include IPs and domains | Split tunnel | Both clients are limited to specific routes; general internet traffic bypasses both tunnels. | +| WARP | Exclude IPs and domains | Split tunnel | WARP asserts the default route and captures all traffic not explicitly excluded. Any Cisco-routed traffic must be excluded from WARP. | +| Cisco AnyConnect | Include IPs and domains | Full tunnel or split tunnel | Cisco asserts the default route. WARP is used only for explicitly included traffic, which must be excluded from Cisco. | diff --git a/src/content/partials/cloudflare-one/warp/cisco/exclude-include-definition.mdx b/src/content/partials/cloudflare-one/warp/cisco/exclude-include-definition.mdx new file mode 100644 index 000000000000000..65db20bfaaa71c9 --- /dev/null +++ b/src/content/partials/cloudflare-one/warp/cisco/exclude-include-definition.mdx @@ -0,0 +1,5 @@ +:::note[Exclude versus Include] +`Exclude IPs and domains` means all traffic will be sent through the WARP tunnel except for the IPs and domains you exclude. This option is compatible with the [industry terminology](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#warp-tunnel-terminology) of a full tunnel setting. + +`Include IPs and domains` means only traffic destined to the IPs or domains you include will be sent through the WARP tunnel. This option is compatible with the [industry terminology](/cloudflare-one/team-and-resources/devices/warp/deployment/cisco/#warp-tunnel-terminology) of a split tunnel setting. +::: \ No newline at end of file