Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2059
Views
0
Helpful
7
Replies

Split Tunnel VPN

Go to solution
mahesh18
Level 6
Level 6

‎01-08-2014 09:41 AM - edited ‎03-11-2019 08:26 PM

Hi Everyone,

When we use Remote VPN to connect to Company Network and tunnel is build up and we can access the company resources.

When we need to access the internet it checks the ACL  in  the ASA  and point it to outside world.

Need to confirm this technology is called Split VPN?

What   command i can run on ASA to check if split tunnel is used?

Or should o look for ACL?

Regards

MAhesh

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-08-2014 10:48 AM

No need to check ACL for the outside interface (unless direction out)

Split Tunnel will let you configure which traffic will be sent over the VPN tunnel.

So if you want to send all traffic via the tunnel leave it default. If is not the case configure an ACL and include only the IP destination address that traffic will be sent via the Tunnel

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-08-2014 12:00 PM

Hi,

To determine whether you are using Split Tunnel or Full Tunnel VPN and you want to determine that through the ASA configurations you should first list the "tunnel-group" configurations

show run tunnel-group

This will list all the different type of VPN configurations on your ASA (Even the L2L VPN between sites)

Next you should find the "tunnel-group" that you are using for the VPN Client

When you find the "tunnel-group" that you are using then you should check if it has a the following value under it

tunnel-group general-attributes

default-group-policy

If it has the "default-group-policy" set then you have to check the that "group-policy" configuration with command

show run group-policy

This will possibly list following values

split-tunnel-policy tunneall

or

split-tunnel-policy tunnelspecified

split-tunnel-network-list

Naturally of the above the first clearly shows that Full Tunnel VPN would be used an all traffic would be sent through the VPN. I also think that if the "group-policy" doesnt make any mention of the above configurations it will also mean that you are using Full Tunnel VPN.

The second output would tell you that you are tunneling only specific networks that are defined in the ACL used in the second command. This would naturally be called Split Tunnel VPN

I would also take note that if using LOCAL authentication on the ASA for the VPN user then the "group-policy" could be attached even to the "username"

You could check if its so with the command

show run username

You could naturally also tell which type of VPN you are using simply connecting the VPN connection and finding the Routes/Secured Routes section and look at the Secured Routes output.

  • If it only mentions 0.0.0.0 then its Full Tunnel
  • If it mentions specific networks its Split Tunnel

You are saying that when you are trying to access the Internet from the VPN Client you can see an ACL being checked on the ASA and traffic sent to the external/public network? If this is true it would seem that you are using Full Tunnel VPN if even Internet traffic is coming through the VPN Connection first.

You seeing an ACL check would also mean that you have configured the ASA in a way that even incoming connections through a VPN are being checked against ACL. This might be an interface ACL on the "outside" or perhaps a VPN Filter configuration?

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎01-08-2014 01:18 PM

Hi,

It seems there is 3 "tunnel-group" above for "remote-access"

2 of them seem to have no "group-policy" so they use the default one on the ASA that unchanged means Full Tunnel

1 of the "tunnel-group" has a "group-policy" and it doesnt seem to list any Split Tunnel configurations I mentioned above so it would mean its Full Tunnel too.

It would seem all 3 "tunnel-group" are therefore using Full Tunnel

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎01-08-2014 01:41 PM

It depends,

If you are using AnyConnect SSL VPN Client then you would typically see the "tunnel-group" name if in the AnyConnect VPN Clients drop down menu when you are connecting to the ASA. Though I guess the name might even be an alias for the "tunnel-group" name also.

If you are using the Cisco VPN Client (IPsec Client) then the "tunnel-group" is configured under the Connection Entry

Here is the Main Window

Choose the Connection Entry that you are using and click the Modify -button above

As you can see from the above, the "Name" field contains the name of the "tunnel-group" used. The value inserted to the "Password" fields would be the Pre Shared Key that you have configured in the "tunnel-group" on the ASA

Hope this helps

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-08-2014 10:48 AM

No need to check ACL for the outside interface (unless direction out)

Split Tunnel will let you configure which traffic will be sent over the VPN tunnel.

So if you want to send all traffic via the tunnel leave it default. If is not the case configure an ACL and include only the IP destination address that traffic will be sent via the Tunnel

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-08-2014 12:00 PM

Hi,

To determine whether you are using Split Tunnel or Full Tunnel VPN and you want to determine that through the ASA configurations you should first list the "tunnel-group" configurations

show run tunnel-group

This will list all the different type of VPN configurations on your ASA (Even the L2L VPN between sites)

Next you should find the "tunnel-group" that you are using for the VPN Client

When you find the "tunnel-group" that you are using then you should check if it has a the following value under it

tunnel-group general-attributes

default-group-policy

If it has the "default-group-policy" set then you have to check the that "group-policy" configuration with command

show run group-policy

This will possibly list following values

split-tunnel-policy tunneall

or

split-tunnel-policy tunnelspecified

split-tunnel-network-list

Naturally of the above the first clearly shows that Full Tunnel VPN would be used an all traffic would be sent through the VPN. I also think that if the "group-policy" doesnt make any mention of the above configurations it will also mean that you are using Full Tunnel VPN.

The second output would tell you that you are tunneling only specific networks that are defined in the ACL used in the second command. This would naturally be called Split Tunnel VPN

I would also take note that if using LOCAL authentication on the ASA for the VPN user then the "group-policy" could be attached even to the "username"

You could check if its so with the command

show run username

You could naturally also tell which type of VPN you are using simply connecting the VPN connection and finding the Routes/Secured Routes section and look at the Secured Routes output.

  • If it only mentions 0.0.0.0 then its Full Tunnel
  • If it mentions specific networks its Split Tunnel

You are saying that when you are trying to access the Internet from the VPN Client you can see an ACL being checked on the ASA and traffic sent to the external/public network? If this is true it would seem that you are using Full Tunnel VPN if even Internet traffic is coming through the VPN Connection first.

You seeing an ACL check would also mean that you have configured the ASA in a way that even incoming connections through a VPN are being checked against ACL. This might be an interface ACL on the "outside" or perhaps a VPN Filter configuration?

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎01-08-2014 01:08 PM

Hi Jouni,

Going step by step

sh run tunnel-group shows

tunnel-group TunnelGroupX type remote-access

tunnel-group GrpX type remote-access

tunnel-group GrpX general-attributes

tunnel-group GrpCorp001 type remote-access

tunnel-group GrpCorp001 general-attributes

default-group-policy CorpGroupPolicy

tunnel-group GrpCorp001 ipsec-attributes

Seems it has 2 tunnel groups which are defined right?

Also it has single default policy so this policy is used by all the VPN clients right?

I checked

show run group-policy

does not show split tunnel anywhere so seems all Internet traffic is going via  Corp Network right?

Regards

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎01-08-2014 01:18 PM

Hi,

It seems there is 3 "tunnel-group" above for "remote-access"

2 of them seem to have no "group-policy" so they use the default one on the ASA that unchanged means Full Tunnel

1 of the "tunnel-group" has a "group-policy" and it doesnt seem to list any Split Tunnel configurations I mentioned above so it would mean its Full Tunnel too.

It would seem all 3 "tunnel-group" are therefore using Full Tunnel

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎01-08-2014 01:30 PM

Hi Jouni,

When i use Remote VPN to connect how can i know which tunnel group i will be hitting?

Regards

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎01-08-2014 01:41 PM

It depends,

If you are using AnyConnect SSL VPN Client then you would typically see the "tunnel-group" name if in the AnyConnect VPN Clients drop down menu when you are connecting to the ASA. Though I guess the name might even be an alias for the "tunnel-group" name also.

If you are using the Cisco VPN Client (IPsec Client) then the "tunnel-group" is configured under the Connection Entry

Here is the Main Window

Choose the Connection Entry that you are using and click the Modify -button above

As you can see from the above, the "Name" field contains the name of the "tunnel-group" used. The value inserted to the "Password" fields would be the Pre Shared Key that you have configured in the "tunnel-group" on the ASA

Hope this helps

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎01-08-2014 01:53 PM

Hi Jouni,

Yes i saw the name when i click on modify.

Seems its lot of info for today.

Best regards

MAhesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card