SSL VPN Full and Split Tunnel Config Question

tkuzma1022 · ‎09-23-2008

I am Beta testing SSLVPN on an IOS router. The question I have is this:

Is it possiable to have slit and full tunnel configs. It seems that once you create your context and default profile that is all you have either split or full. The books say you can use Radius and assign different profiles but, I would like to give the users a choice (like in the VPN3000 .pcf) of either split or full depending on where they are working from.

andrew.prince · ‎09-25-2008

The below is an example using the ASA - but the principle remains the same:-

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080975e83.shtml

HTH>

tkuzma1022 · ‎09-25-2008

Thank-you for your reply. It seems that in the IOS you can have one Context and Profile assocateed to the IPaddree so, xx.xx.xx.1 is full tunnel and it appears that you have to have a second Context / Profile for a split tunnel.

It appears the better choice maybe the ASA for doing SSLVPN

andrew.prince · ‎09-25-2008

Yes - the ASA appears to be better suited to your requirements.

HTH>

tkuzma1022 · ‎09-25-2008

Sorry Andrew one more question about your SSLVPN on and ASA.

You have both full and split tunnels running on one interface?

andrew.prince · ‎09-25-2008

Yes you do - you just have different profiles/groups that have different capabilities.

On a test ASA SSL VPN - I have had:-

1) Clientless

2) Thin-client

3) Full Client

Option 3 with either full tunneling or Split tunneling.

HTH>