WebVPN (Split Tunnel w/ extended ACL)

Unanswered Question
Jun 6th, 2008
User Badges:

ASA 7.2.3 code / ASDM 5.2

Yesterday I converted a customer from the WebVPN portal to the SVC client (sslclient-win-1.1.4.179). I must of spent 2hrs trying to figure out why the split tunneling wasn't working. I had the acl configured for the tunnel networks and had it tied to the group policy - nothing I tried seemed to fix this problem! The SVC client said that split tunneling was NOT enabled and I confirmed that all client traffic was in fact being tunneled via this VPN policy.


It wasn't until someone pointed out to me that they remember a problem w/ matching on extended acl's vs just a standard network acl. I converted the extended acl to a standard and WOLA it worked!


So, now I'm at a standstill I do not want to configure it this way as I want to be very granular in what is allowed to specific machines - rather than just opening up specific host(s) and or network(s).


Is this a bug? How can I configure this so that I'm only allowing specific protocols to specific hosts?


BTW: the only reason I converted this customer over was the fact that DEP in SP2 Windows was jacking up their connectivity. There is a bug out there on this w/ CSD 3.1.1.45.


Thank You,

scott


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
scottlivingston Sat, 06/07/2008 - 10:28
User Badges:

So I found a fix....


You need to define and match on a standard wide open network and or host acl and then use the 'vpn-filter value' command to get granular on the standard one you created. If that doesn't make sense here's the config....


ASA# sh run | begin group-policy Company-ABC-WebVPN internal

group-policy Company-ABC-WebVPN internal

group-policy Company-ABC-WebVPN attributes

dns-server value 192.168.0.21 192.168.0.11

vpn-access-hours none

vpn-simultaneous-logins 10

vpn-filter value Company-ABC-Access-VPN-Network-List

vpn-tunnel-protocol webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Company-ABC-NONSPECIFIC-Access-VPN-Network-List

address-pools value Remote-Access-VPN-Pool

webvpn

functions url-entry file-access file-entry file-browsing port-forward auto-download

url-list value Company-ABC

port-forward value Company-ABC-Access

port-forward-name value Application Access

svc enable

svc keep-installer installed

!

access-list Company-ABC-Access-VPN-Network-List remark Allow VPN Access to Demo-DMZ

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 5802

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 5902

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 8080

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq ssh

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 5802

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 5902

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 8080

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq ssh

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.148 eq 3389

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.131 eq 3389

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.135 eq 3389

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 192.168.0.11 eq domain

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 192.168.0.21 eq domain

access-list Company-ABC-Access-VPN-Network-List extended permit udp any host 192.168.0.11 eq domain

access-list Company-ABC-Access-VPN-Network-List extended permit udp any host 192.168.0.21 eq domain

!

access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List remark Allow VPN Access to Demo-DMZ

access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit 1.1.1.128 255.255.255.224

access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit host 192.168.0.21

access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit host 192.168.0.11

!


thx,

scott

kristyorr Thu, 07/31/2008 - 09:00
User Badges:

I was having the exact same problem. So glad I found your post. Works great!

scottlivingston Thu, 07/31/2008 - 09:14
User Badges:

Awesome - glad it helped. We have tied this to others and it's still a solid solution for us as well.


scott


Actions

This Discussion