Split tunnel vpn remote access ASA 5520

Answered Question
Oct 30th, 2009

Hi,

I'm creating a remote access vpn with split tunnel, but I'm using an extended acl to match a host and port http of destination, but is not working.

Scenario

Remote access(10.0.0.122/24) -- internet --- Cisco ASA(inside:192.168.10.1/24) --- ip=192.168.10.6 - C6509 - 10.0.0.254/24 --- host = 10.0.0.31/24

The intriguing is when I enable the service IP connection or ICMP flows worked. Does anyone have any idea what the problem? Thanks

Regards

I have this problem too.
0 votes
Correct Answer by hdashnau about 7 years 1 month ago

Split tunneling doesn't take into account port information you specify in the ACL, it only cares about the ip address/networks you defined.

If you are trying to restrict access to IP and ports you should define your split tunneling with ip addresses only and use a vpn-filter acl in the group-policy to restrict it further to the specific ports you want:

access-list split_acl permit ip

access-list filter_acl permit ip eq

group-pol attributes

split-tunnel-pol tunnelspecified

split-tunnel-net value split_acl

vpn-filter value filter_acl

-heather

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
hdashnau Mon, 11/02/2009 - 13:56

Split tunneling doesn't take into account port information you specify in the ACL, it only cares about the ip address/networks you defined.

If you are trying to restrict access to IP and ports you should define your split tunneling with ip addresses only and use a vpn-filter acl in the group-policy to restrict it further to the specific ports you want:

access-list split_acl permit ip

access-list filter_acl permit ip eq

group-pol attributes

split-tunnel-pol tunnelspecified

split-tunnel-net value split_acl

vpn-filter value filter_acl

-heather

Actions

This Discussion