acl for split tuneling

Unanswered Question
May 11th, 2009


i'm doing ios router terminating vpn client.

when defining split tuneling in acl, does it support to include port when defining traffic to be encrypted?

i.e. access-list 100 permit ip <src> <mask> <dst> <msk> eq http

if not, is there option to say this group user can access this host for email only? Should this be done on Radius server or the application?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

I think I would block that with an ACL. Depending on the device, it is done differently. For example, the ASA permits IPSEC inherently in most configs. To disable that, you would enter "no sysopt connection permit-vpn". After that, the acl rules will apply. In IOS, it is different depending on the code version and method for deploying the VPN client. For example, with VTI, you could apply an ACL to the tunnel interface.

chinkevi_2 Tue, 05/12/2009 - 14:41

thanks Paul but it is quite irrelevent.

i am refering to "ios router", with acl define for "split-tuneling".

i normally see examples to define split-tuneling in acl with src and dst address.

The question is if we can define the split-tuneling in acl with port.

You can also filter via ACL in IOS. It is just done differently depending on the code version. In new code, it is best to do with VTI. I understand that you want to build a split tunnel acl based on ports and generally you don't want to build sa's at the port level.

To answer your question, I don't know if the VPN Client would register that or not. So unfortunately, I don't know. The reason it is generally not a good idea is each logical line in the acl would become an SA relationship. In other words, you can consume resources with a lot of SA's.

Basically, I define in the SA's the communication I want to encrypt, then define in an acl what I want to block. I never get down to a protocol or port level in SA definition. Really, that is what the split tunnel acl is doing is defining the SA.

I know that's not an answer to your question. If I get an opportunity to try it, I will post back with the results.


This Discussion