I'm creating a remote access vpn with split tunnel, but I'm using an extended acl to match a host and port http of destination, but is not working.
Remote access(10.0.0.122/24) -- internet --- Cisco ASA(inside:192.168.10.1/24) --- ip=192.168.10.6 - C6509 - 10.0.0.254/24 --- host = 10.0.0.31/24
The intriguing is when I enable the service IP connection or ICMP flows worked. Does anyone have any idea what the problem? Thanks
Split tunneling doesn't take into account port information you specify in the ACL, it only cares about the ip address/networks you defined.
If you are trying to restrict access to IP and ports you should define your split tunneling with ip addresses only and use a vpn-filter acl in the group-policy to restrict it further to the specific ports you want:
access-list split_acl permit ip
access-list filter_acl permit ip eq
split-tunnel-net value split_acl
vpn-filter value filter_acl