cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2868
Views
0
Helpful
4
Replies

Is it possible to use extended acl for split tunneling on ASA?

David Kleberson
Level 1
Level 1

I'm configuring RA IPSEC VPN on ASA and I would like to figure out whether it is possible to use extended acls as a part of split tunneling?

Thank you!

2 Accepted Solutions

Accepted Solutions

Abaji Rawool
Level 3
Level 3

Yes, you can use extended ACL. Refer this example :http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa-split-tunnel-vpn-client.html

 

Regards,

Abaji.

View solution in original post

Even if you use an extended ACL the ASA will "convert" the ACL (I use the convert statement very lightly) to a standard ACL.  The source IP / subnet will be used for split tunneling and the destination will be ignored.  So unless you configure the source IP with the destination network, the extended ACL will not work.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/vpn/asdm_71_vpn_config/vpn_asdm_setup.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

Abaji Rawool
Level 3
Level 3

Yes, you can use extended ACL. Refer this example :http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa-split-tunnel-vpn-client.html

 

Regards,

Abaji.

The first question that comes to my mind is: Why do you want to do that? Split-tunneling is used for routing-decisions on the client. And on the ASA, that's what standard ACLs are used for. Although you can use an extended ACL for split-tunneling, using a standard ACL is the "native" ASA-way to handle that.

Even if you use an extended ACL the ASA will "convert" the ACL (I use the convert statement very lightly) to a standard ACL.  The source IP / subnet will be used for split tunneling and the destination will be ignored.  So unless you configure the source IP with the destination network, the extended ACL will not work.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/vpn/asdm_71_vpn_config/vpn_asdm_setup.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi Karsten Iwen,

When you want to use fqdns for your split tunnel ACL, it can't be done using standard but extended. That's a use case.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: