06-06-2008 07:19 AM - edited 03-11-2019 05:56 AM
ASA 7.2.3 code / ASDM 5.2
Yesterday I converted a customer from the WebVPN portal to the SVC client (sslclient-win-1.1.4.179). I must of spent 2hrs trying to figure out why the split tunneling wasn't working. I had the acl configured for the tunnel networks and had it tied to the group policy - nothing I tried seemed to fix this problem! The SVC client said that split tunneling was NOT enabled and I confirmed that all client traffic was in fact being tunneled via this VPN policy.
It wasn't until someone pointed out to me that they remember a problem w/ matching on extended acl's vs just a standard network acl. I converted the extended acl to a standard and WOLA it worked!
So, now I'm at a standstill I do not want to configure it this way as I want to be very granular in what is allowed to specific machines - rather than just opening up specific host(s) and or network(s).
Is this a bug? How can I configure this so that I'm only allowing specific protocols to specific hosts?
BTW: the only reason I converted this customer over was the fact that DEP in SP2 Windows was jacking up their connectivity. There is a bug out there on this w/ CSD 3.1.1.45.
Thank You,
scott
06-07-2008 10:28 AM
So I found a fix....
You need to define and match on a standard wide open network and or host acl and then use the 'vpn-filter value' command to get granular on the standard one you created. If that doesn't make sense here's the config....
ASA# sh run | begin group-policy Company-ABC-WebVPN internal
group-policy Company-ABC-WebVPN internal
group-policy Company-ABC-WebVPN attributes
dns-server value 192.168.0.21 192.168.0.11
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-filter value Company-ABC-Access-VPN-Network-List
vpn-tunnel-protocol webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Company-ABC-NONSPECIFIC-Access-VPN-Network-List
address-pools value Remote-Access-VPN-Pool
webvpn
functions url-entry file-access file-entry file-browsing port-forward auto-download
url-list value Company-ABC
port-forward value Company-ABC-Access
port-forward-name value Application Access
svc enable
svc keep-installer installed
!
access-list Company-ABC-Access-VPN-Network-List remark Allow VPN Access to Demo-DMZ
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 5802
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 5902
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 8080
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq ssh
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 5802
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 5902
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 8080
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq ssh
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.148 eq 3389
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.131 eq 3389
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.135 eq 3389
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 192.168.0.11 eq domain
access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 192.168.0.21 eq domain
access-list Company-ABC-Access-VPN-Network-List extended permit udp any host 192.168.0.11 eq domain
access-list Company-ABC-Access-VPN-Network-List extended permit udp any host 192.168.0.21 eq domain
!
access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List remark Allow VPN Access to Demo-DMZ
access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit 1.1.1.128 255.255.255.224
access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit host 192.168.0.21
access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit host 192.168.0.11
!
thx,
scott
07-31-2008 09:00 AM
I was having the exact same problem. So glad I found your post. Works great!
07-31-2008 09:14 AM
Awesome - glad it helped. We have tied this to others and it's still a solid solution for us as well.
scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide