Split tunnel vpn remote access ASA 5520

Answered Question
Oct 30th, 2009
User Badges:

Hi,


I'm creating a remote access vpn with split tunnel, but I'm using an extended acl to match a host and port http of destination, but is not working.


Scenario


Remote access(10.0.0.122/24) -- internet --- Cisco ASA(inside:192.168.10.1/24) --- ip=192.168.10.6 - C6509 - 10.0.0.254/24 --- host = 10.0.0.31/24


The intriguing is when I enable the service IP connection or ICMP flows worked. Does anyone have any idea what the problem? Thanks


Regards



Correct Answer by hdashnau about 7 years 7 months ago

Split tunneling doesn't take into account port information you specify in the ACL, it only cares about the ip address/networks you defined.


If you are trying to restrict access to IP and ports you should define your split tunneling with ip addresses only and use a vpn-filter acl in the group-policy to restrict it further to the specific ports you want:


access-list split_acl permit ip


access-list filter_acl permit ip eq


group-pol attributes


split-tunnel-pol tunnelspecified


split-tunnel-net value split_acl


vpn-filter value filter_acl



-heather

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
hdashnau Mon, 11/02/2009 - 13:56
User Badges:
  • Cisco Employee,

Split tunneling doesn't take into account port information you specify in the ACL, it only cares about the ip address/networks you defined.


If you are trying to restrict access to IP and ports you should define your split tunneling with ip addresses only and use a vpn-filter acl in the group-policy to restrict it further to the specific ports you want:


access-list split_acl permit ip


access-list filter_acl permit ip eq


group-pol attributes


split-tunnel-pol tunnelspecified


split-tunnel-net value split_acl


vpn-filter value filter_acl



-heather

Actions

This Discussion