Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
4
Replies

acl for split tuneling

chinkevi_2
Level 1
Level 1

‎05-11-2009 06:17 PM - edited ‎02-20-2020 09:41 PM

hello,

i'm doing ios router terminating vpn client.

when defining split tuneling in acl, does it support to include port when defining traffic to be encrypted?

i.e. access-list 100 permit ip <src> <mask> <dst> <msk> eq http

if not, is there option to say this group user can access this host for email only? Should this be done on Radius server or the application?

Labels:
0 Helpful
4 Replies 4

paul
Level 1
Level 1

‎05-12-2009 01:39 AM

I think I would block that with an ACL. Depending on the device, it is done differently. For example, the ASA permits IPSEC inherently in most configs. To disable that, you would enter "no sysopt connection permit-vpn". After that, the acl rules will apply. In IOS, it is different depending on the code version and method for deploying the VPN client. For example, with VTI, you could apply an ACL to the tunnel interface.

0 Helpful

chinkevi_2
Level 1
Level 1
In response to paul

‎05-12-2009 02:41 PM

thanks Paul but it is quite irrelevent.

i am refering to "ios router", with acl define for "split-tuneling".

i normally see examples to define split-tuneling in acl with src and dst address.

The question is if we can define the split-tuneling in acl with port.

0 Helpful

paul
Level 1
Level 1
In response to chinkevi_2

‎05-12-2009 03:26 PM

You can also filter via ACL in IOS. It is just done differently depending on the code version. In new code, it is best to do with VTI. I understand that you want to build a split tunnel acl based on ports and generally you don't want to build sa's at the port level.

To answer your question, I don't know if the VPN Client would register that or not. So unfortunately, I don't know. The reason it is generally not a good idea is each logical line in the acl would become an SA relationship. In other words, you can consume resources with a lot of SA's.

Basically, I define in the SA's the communication I want to encrypt, then define in an acl what I want to block. I never get down to a protocol or port level in SA definition. Really, that is what the split tunnel acl is doing is defining the SA.

I know that's not an answer to your question. If I get an opportunity to try it, I will post back with the results.

0 Helpful

paul
Level 1
Level 1
In response to paul

‎05-12-2009 03:34 PM

Also, one more note. The split acl affects the routing table on the client PC. The route table is not per port. That doesn't mean that it couldn't work, but it would simply drop the traffic that wasn't destined to the defined port if everything else worked.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents