Our remote users already use AnyConnect to access our corporate network when offsite. We're in the process of implementing split tunneling through group policy, where more trusted users can have non-work traffic go directly to the internet, but less trusted users have all traffic go through the corporate LAN (and its security) before going out. Fine so far.
As a quick and simple way of adding secure wireless to our corporate LAN, we connected a physically partitioned network of Linksys WRT54Gs to one of the unused Ethernet ports on our ASA5510. Clients connecting wirelessly get a DHCP lease from the ASA, but there is no NAT or ACL allowing traffic out. The idea is that users will make a VPN connection with AnyConnect, and the VPN connections' ACLs allow for outbound traffic. This eliminates the need for WPA keys or integrating the APs with RADIUS, and pushes the security to the ASA, which is already familiar to the users.
The problem we have is that, since we don't allow any non-VPN traffic past the ASA on the wireless segment, split tunneling doesn't work. When connecting to the wireless segment, the users whose group policy gives them split tunneling can access corporate resources, but not external addresses. This is an inconvenience. We could remedy this by creating two connection profiles, and allowing the user to choose, say, wireless or external when connecting. We really want to avoid this, however: our less trusted users can, irritatingly so, be flummoxed by simple things like having to select the connection profile from a list.
I suppose we could add a second userID for the trusted users for when they're connected wireless, and have them get the non-split-tunnel GP, but that seems clunky also. If VPN connections terminating on the wireless interface could be forced to not use split tunneling, that would be ideal.
Is there any way, without having multiple connection profiles, to override the group policy split tunnel setting on a connection-specific basis?
I would recommend disabling split-tunneling altogether for security reasons. This would eliminate the security risk resulting from your external remote access connections and resolve the connectivity issues related to your wireless LAN.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...