Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WebVPN (Split Tunnel w/ extended ACL)

ASA 7.2.3 code / ASDM 5.2

Yesterday I converted a customer from the WebVPN portal to the SVC client (sslclient-win-1.1.4.179). I must of spent 2hrs trying to figure out why the split tunneling wasn't working. I had the acl configured for the tunnel networks and had it tied to the group policy - nothing I tried seemed to fix this problem! The SVC client said that split tunneling was NOT enabled and I confirmed that all client traffic was in fact being tunneled via this VPN policy.

It wasn't until someone pointed out to me that they remember a problem w/ matching on extended acl's vs just a standard network acl. I converted the extended acl to a standard and WOLA it worked!

So, now I'm at a standstill I do not want to configure it this way as I want to be very granular in what is allowed to specific machines - rather than just opening up specific host(s) and or network(s).

Is this a bug? How can I configure this so that I'm only allowing specific protocols to specific hosts?

BTW: the only reason I converted this customer over was the fact that DEP in SP2 Windows was jacking up their connectivity. There is a bug out there on this w/ CSD 3.1.1.45.

Thank You,

scott

3 REPLIES
New Member

Re: WebVPN (Split Tunnel w/ extended ACL)

So I found a fix....

You need to define and match on a standard wide open network and or host acl and then use the 'vpn-filter value' command to get granular on the standard one you created. If that doesn't make sense here's the config....

ASA# sh run | begin group-policy Company-ABC-WebVPN internal

group-policy Company-ABC-WebVPN internal

group-policy Company-ABC-WebVPN attributes

dns-server value 192.168.0.21 192.168.0.11

vpn-access-hours none

vpn-simultaneous-logins 10

vpn-filter value Company-ABC-Access-VPN-Network-List

vpn-tunnel-protocol webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Company-ABC-NONSPECIFIC-Access-VPN-Network-List

address-pools value Remote-Access-VPN-Pool

webvpn

functions url-entry file-access file-entry file-browsing port-forward auto-download

url-list value Company-ABC

port-forward value Company-ABC-Access

port-forward-name value Application Access

svc enable

svc keep-installer installed

!

access-list Company-ABC-Access-VPN-Network-List remark Allow VPN Access to Demo-DMZ

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 5802

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 5902

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 8080

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq ssh

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 5802

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 5902

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 8080

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq ssh

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.148 eq 3389

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.131 eq 3389

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.135 eq 3389

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 192.168.0.11 eq domain

access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 192.168.0.21 eq domain

access-list Company-ABC-Access-VPN-Network-List extended permit udp any host 192.168.0.11 eq domain

access-list Company-ABC-Access-VPN-Network-List extended permit udp any host 192.168.0.21 eq domain

!

access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List remark Allow VPN Access to Demo-DMZ

access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit 1.1.1.128 255.255.255.224

access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit host 192.168.0.21

access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit host 192.168.0.11

!

thx,

scott

New Member

Re: WebVPN (Split Tunnel w/ extended ACL)

I was having the exact same problem. So glad I found your post. Works great!

New Member

Re: WebVPN (Split Tunnel w/ extended ACL)

Awesome - glad it helped. We have tied this to others and it's still a solid solution for us as well.

scott

498
Views
5
Helpful
3
Replies