06-14-2010 10:45 AM
We have a group of VPN users that is connecting to the vpn using at least Cisco VPN 5.0.01.0600 or newer. Once connected to the VPN they do not have access to the internet and we would like to keep it this way for security reason. This group of vpn users now have additional needs. This vpn group needs to stay connected to the vpn and not loose connectivity to a particular range of network internally (a peer to peer non routable address) Thru research it appears that we can specify the allowed network on the split tunnel. Our goal is to allow this group of users connectivity to the range of IP's when connecting the the VPN and to exclude the internet at large.
Does anyone have pointers for me or would know of any issues I would run into? Should I be worried about split DNS?
Thanks
06-14-2010 10:53 AM
Hi,
You can create a group-policy where you define if you want to tunnel all traffic (no split tunneling), tunnel just specified networks (split tunneling), or just exclude a list of networks.
Under the group-policy, you specify the split-tunnel-policy and then the split-tunnel-list/
ASA(config-group-policy)# split-tunnel-policy ?
group-policy mode commands/options:
excludespecified Exclude only networks specified by
split-tunnel-network-list
tunnelall Tunnel everything
tunnelspecified Tunnel only networks specified by split-tunnel-network-list
ASA(config-group-policy)# split-tunnel-network-list ?
group-policy mode commands/options:
none Specify that no access-list will be used for split tunnel
configuration
value Specify a standard or extended type access-list for split tunnel
configuration
Split-DNS is in case you want to include a list of domains to be resolved through the split tunnel.
Federico.
07-25-2010 03:00 PM
Basically this involves installing routes on the clients. You'll have to configure a split-tunnel-network-list longhand to define all networks except their internal network. You cannot IIRC use deny statements in that access list.
The way it works I've described here, and it will only work for certain clients:
http://www.abrij.org/~bri/hw/splitp.html
Also, I recently discovered that using "no sysopt connection permit-vpn" breaks this, and so far I cannot figure out if there is a solution by adding ACEs to interfaces/crypto-maps/etc (the obvious one does not work.)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: