09-21-2006 06:29 AM - edited 03-09-2019 04:16 PM
i have configured split tunnel on ASA5510 so that only the traffic that is destined for the other end of IPSec tunnel goes through the tunnel and the rest does not. something like this:
access-list split extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0
group-policy <policy> attributes
split-tunnel-network-list value split
now i want to make sure that traffic to one specific host goes also through the tunnel - ie traffic from 10.10.11.0 vpn clients to 123.123.123.123. is it sufficient to add:
access-list split extended permit ip host 123.123.123.123 10.10.11.0 255.255.255.0
or is there something else? also, how about NAT being that 123.123.123.123 is outside of local network? any suggestions?
09-24-2006 03:20 AM
firstly, you should use a standard acess-list for split tunneling and not an extended!!
so acess-list should look like:
access-list split standard permit ip 10.10.10.0 255.255.255.0
yes you are right you ave to just add the single host in the split tunneling list.
access-list split standard permit ip host 123.123.123.123
for the traffic to go via outside interface of the ASA for vpn client traffic, you have to add one more command which is as follows:
same-security-traffic permit intra-interface
also you will have to apply nat 0 (outside) for denying the traffic from client pool to that outside host 123.123.123.123
access-list nonatoutside permit ip 10.10.11.0 255.255.255.0 host 123.123.123.123
nat 0 (outside) access-list nonatoutside
09-24-2006 08:49 AM
thanks for your response. i have a quick question: why is it necesarry/important to use standard access-list as opposed to using extended access-list?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide