split tunnel based on remote user location

Unanswered Question
Jun 28th, 2010
User Badges:

Good afternoon,

For remote vpn users, I would like to configure a dynamic vpn split tunnel depending where are they connected.

For example if a remote user is connected to ASA from italy, auth via acs radius server, a split tunnel list will be applied allowing user to access local resources, if the same user is connecting from germany, apply a split tunnel list allowing the local resources for germany office...

is it possible to achieve this? any link or documentation related?

Thanks for your support

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Michael Dombek Thu, 07/01/2010 - 00:53
User Badges:

Hi their sure you can do this.

If your User conencts you have to assign him a dACL and Shared RAC based on the Network Access Profile and the NAF for your locations.


create a Network Access Filter for Germany with all your german ASAs one for Italy with all your italian ASAs etc.

create a "Germany" Shared RAC with the important german settings (DNS wins etc)

Create a "Italy" Shared RAC with the settings for Italy

create dACL (for each location)

then go and create a Network access Profile for germany and one for italy - apply the network filter and assign  under authorization the dACL and sRAC.

Should work without problems

Maybe have a look here:



Cheers Michael

franpena2008 Thu, 07/01/2010 - 06:13
User Badges:

I am working with ACS appliance v 5.1 for radius authentication/authorization

All clients are connecting to the same central ASA.

I have found in ACS Policy Elements - End station filters - Where I think I can diffrentiate where are the clients located.

Anybody knows if end station filters refer to the clients network or to the asa?

Thnks and best regards



This Discussion