Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
2
Replies

split tunnel based on remote user location

franpena2008
Level 1
Level 1

‎06-28-2010 07:24 AM - edited ‎03-10-2019 05:13 PM

Good afternoon,

For remote vpn users, I would like to configure a dynamic vpn split tunnel depending where are they connected.

For example if a remote user is connected to ASA from italy, auth via acs radius server, a split tunnel list will be applied allowing user to access local resources, if the same user is connecting from germany, apply a split tunnel list allowing the local resources for germany office...

is it possible to achieve this? any link or documentation related?

Thanks for your support

Labels:
0 Helpful
2 Replies 2

Michael Dombek
Level 1
Level 1

‎07-01-2010 12:53 AM

Hi their sure you can do this.

If your User conencts you have to assign him a dACL and Shared RAC based on the Network Access Profile and the NAF for your locations.

EG:

create a Network Access Filter for Germany with all your german ASAs one for Italy with all your italian ASAs etc.

create a "Germany" Shared RAC with the important german settings (DNS wins etc)

Create a "Italy" Shared RAC with the settings for Italy

create dACL (for each location)

then go and create a Network access Profile for germany and one for italy - apply the network filter and assign  under authorization the dACL and sRAC.

Should work without problems

Maybe have a look here:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/sp.html

HTH

Cheers Michael

0 Helpful

franpena2008
Level 1
Level 1
In response to Michael Dombek

‎07-01-2010 06:13 AM

I am working with ACS appliance v 5.1 for radius authentication/authorization

All clients are connecting to the same central ASA.

I have found in ACS Policy Elements - End station filters - Where I think I can diffrentiate where are the clients located.

Anybody knows if end station filters refer to the clients network or to the asa?

Thnks and best regards

Fran

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents