Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

interface-specific split tunnelling w/ASA5510?

Our remote users already use AnyConnect to access our corporate network when offsite. We're in the process of implementing split tunneling through group policy, where more trusted users can have non-work traffic go directly to the internet, but less trusted users have all traffic go through the corporate LAN (and its security) before going out. Fine so far.

As a quick and simple way of adding secure wireless to our corporate LAN, we connected a physically partitioned network of Linksys WRT54Gs to one of the unused Ethernet ports on our ASA5510. Clients connecting wirelessly get a DHCP lease from the ASA, but there is no NAT or ACL allowing traffic out. The idea is that users will make a VPN connection with AnyConnect, and the VPN connections' ACLs allow for outbound traffic. This eliminates the need for WPA keys or integrating the APs with RADIUS, and pushes the security to the ASA, which is already familiar to the users.

The problem we have is that, since we don't allow any non-VPN traffic past the ASA on the wireless segment, split tunneling doesn't work. When connecting to the wireless segment, the users whose group policy gives them split tunneling can access corporate resources, but not external addresses. This is an inconvenience. We could remedy this by creating two connection profiles, and allowing the user to choose, say, wireless or external when connecting. We really want to avoid this, however: our less trusted users can, irritatingly so, be flummoxed by simple things like having to select the connection profile from a list.

I suppose we could add a second userID for the trusted users for when they're connected wireless, and have them get the non-split-tunnel GP, but that seems clunky also. If VPN connections terminating on the wireless interface could be forced to not use split tunneling, that would be ideal.

Is there any way, without having multiple connection profiles, to override the group policy split tunnel setting on a connection-specific basis?


Re: interface-specific split tunnelling w/ASA5510?

I would recommend disabling split-tunneling altogether for security reasons. This would eliminate the security risk resulting from your external remote access connections and resolve the connectivity issues related to your wireless LAN.

Hope this helps.

CreatePlease to create content