cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2233
Views
0
Helpful
1
Replies

Split tunnel vpn remote access ASA 5520

r-barbosa
Level 1
Level 1

Hi,

I'm creating a remote access vpn with split tunnel, but I'm using an extended acl to match a host and port http of destination, but is not working.

Scenario

Remote access(10.0.0.122/24) -- internet --- Cisco ASA(inside:192.168.10.1/24) --- ip=192.168.10.6 - C6509 - 10.0.0.254/24 --- host = 10.0.0.31/24

The intriguing is when I enable the service IP connection or ICMP flows worked. Does anyone have any idea what the problem? Thanks

Regards

1 Accepted Solution

Accepted Solutions

hdashnau
Cisco Employee
Cisco Employee

Split tunneling doesn't take into account port information you specify in the ACL, it only cares about the ip address/networks you defined.

If you are trying to restrict access to IP and ports you should define your split tunneling with ip addresses only and use a vpn-filter acl in the group-policy to restrict it further to the specific ports you want:

access-list split_acl permit ip

access-list filter_acl permit ip eq

group-pol attributes

split-tunnel-pol tunnelspecified

split-tunnel-net value split_acl

vpn-filter value filter_acl

-heather

View solution in original post

1 Reply 1

hdashnau
Cisco Employee
Cisco Employee

Split tunneling doesn't take into account port information you specify in the ACL, it only cares about the ip address/networks you defined.

If you are trying to restrict access to IP and ports you should define your split tunneling with ip addresses only and use a vpn-filter acl in the group-policy to restrict it further to the specific ports you want:

access-list split_acl permit ip

access-list filter_acl permit ip eq

group-pol attributes

split-tunnel-pol tunnelspecified

split-tunnel-net value split_acl

vpn-filter value filter_acl

-heather

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: