06-06-2008 07:19 AM - edited 03-11-2019 05:56 AM
ASA 7.2.3 code / ASDM 5.2
Yesterday I converted a customer from the WebVPN portal to the SVC client (sslclient-win-1.1.4.179). I must of spent 2hrs trying to figure out why the split tunneling wasn't working. I had the acl configured for the tunnel networks and had it tied to the group policy - nothing I tried seemed to fix this problem! The SVC client said that split tunneling was NOT enabled and I confirmed that all client traffic was in fact being tunneled via this VPN policy.
It wasn't until someone pointed out to me that they remember a problem w/ matching on extended acl's vs just a standard network acl. I converted the extended acl to a standard and WOLA it worked!
So, now I'm at a standstill I do not want to configure it this way as I want to be very granular in what is allowed to specific machines - rather than just opening up specific host(s) and or network(s).
Is this a bug? How can I configure this so that I'm only allowing specific protocols to specific hosts?
BTW: the only reason I converted this customer over was the fact that DEP in SP2 Windows was jacking up their connectivity. There is a bug out there on this w/ CSD 3.1.1.45.
Thank You,
scott
06-07-2008 10:28 AM
So I found a fix....
You need to define and match on a standard wide open network and or host acl and then use the 'vpn-filter value' command to get granular on the standard one you created. If that doesn't make sense here's the config....
ASA# sh run | begin group-policy Company-ABC-WebVPN internal
group-policy Company-ABC-WebVPN internal
group-policy Company-ABC-WebVPN attributes
dns-server value 192.168.0.21 192.168.0.11
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-filter value Company-ABC-Access-VPN-Network-List
vpn-tunnel-protocol webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Company-ABC-NONSPECIFIC-Access-VPN-Network-List
address-pools value Remote-Access-VPN-Pool
webvpn
functions url-entry file-access file-entry file-browsing port-forward auto-download
url-list value Company-ABC
port-forward value Company-ABC-Access
port-forward-name value Application Access
svc enable
svc keep-installer installed
!
access-list Company-ABC-Access-VPN-Network-List remark Allow VPN Access to Demo-DMZ
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 5802
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 5902
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 8080
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq ssh
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 5802
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 5902
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 8080
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq ssh
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.148 eq 3389
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.131 eq 3389
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.135 eq 3389
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 192.168.0.11 eq domain
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 192.168.0.21 eq domain
access-list Company-ABC-Access-VPN-Network-List extended permit udp any host 192.168.0.11 eq domain
access-list Company-ABC-Access-VPN-Network-List extended permit udp any host 192.168.0.21 eq domain
!
access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List remark Allow VPN Access to Demo-DMZ
access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit 1.1.1.128 255.255.255.224
access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit host 192.168.0.21
access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit host 192.168.0.11
!
thx,
scott
07-31-2008 09:00 AM
I was having the exact same problem. So glad I found your post. Works great!
07-31-2008 09:14 AM
Awesome - glad it helped. We have tied this to others and it's still a solid solution for us as well.
scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: