vpn and split tunnel

Unanswered Question
Jun 14th, 2010

We have a group of VPN users that is connecting to the vpn using at least Cisco VPN 5.0.01.0600 or newer. Once connected to the VPN they do not have access to the internet and we would like to keep it this way for security reason. This group of vpn users now  have additional needs. This vpn group needs to stay connected to the vpn and not loose connectivity to a particular range of network internally (a peer to peer non routable address)  Thru research it appears that we can specify the allowed network on the split tunnel. Our goal is to allow this group of users connectivity to the range of IP's when connecting the the VPN and to exclude the internet at large.

Does anyone have pointers for me or would know of any issues I would run into? Should I be worried about split DNS?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 06/14/2010 - 10:53

Hi,

You can create a group-policy where you define if you want to tunnel all traffic (no split tunneling), tunnel just specified networks (split tunneling), or just exclude a list of networks.

Under the group-policy, you specify the split-tunnel-policy and then the split-tunnel-list/

ASA(config-group-policy)# split-tunnel-policy ?

group-policy mode commands/options:
  excludespecified  Exclude only networks specified by
                    split-tunnel-network-list
  tunnelall         Tunnel everything
  tunnelspecified   Tunnel only networks specified by split-tunnel-network-list

ASA(config-group-policy)# split-tunnel-network-list ?

group-policy mode commands/options:
  none   Specify that no access-list will be used for split tunnel
         configuration
  value  Specify a standard or extended type access-list for split tunnel
         configuration

Split-DNS is in case you want to include a list of domains to be resolved through the split tunnel.

Federico.

b.julin Sun, 07/25/2010 - 15:00

Basically this involves installing routes on the clients.  You'll have to configure a split-tunnel-network-list longhand to define all networks except their internal network.  You cannot IIRC use deny statements in that access list.

The way it works I've described here, and it will only work for certain clients:

http://www.abrij.org/~bri/hw/splitp.html

Also, I recently discovered that using "no sysopt connection permit-vpn" breaks this, and so far I cannot figure out if there is a solution by adding ACEs to interfaces/crypto-maps/etc (the obvious one does not work.)

Actions

This Discussion