Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

acl for split tuneling


i'm doing ios router terminating vpn client.

when defining split tuneling in acl, does it support to include port when defining traffic to be encrypted?

i.e. access-list 100 permit ip <src> <mask> <dst> <msk> eq http

if not, is there option to say this group user can access this host for email only? Should this be done on Radius server or the application?

Community Member

Re: acl for split tuneling

I think I would block that with an ACL. Depending on the device, it is done differently. For example, the ASA permits IPSEC inherently in most configs. To disable that, you would enter "no sysopt connection permit-vpn". After that, the acl rules will apply. In IOS, it is different depending on the code version and method for deploying the VPN client. For example, with VTI, you could apply an ACL to the tunnel interface.

Community Member

Re: acl for split tuneling

thanks Paul but it is quite irrelevent.

i am refering to "ios router", with acl define for "split-tuneling".

i normally see examples to define split-tuneling in acl with src and dst address.

The question is if we can define the split-tuneling in acl with port.

Community Member

Re: acl for split tuneling

You can also filter via ACL in IOS. It is just done differently depending on the code version. In new code, it is best to do with VTI. I understand that you want to build a split tunnel acl based on ports and generally you don't want to build sa's at the port level.

To answer your question, I don't know if the VPN Client would register that or not. So unfortunately, I don't know. The reason it is generally not a good idea is each logical line in the acl would become an SA relationship. In other words, you can consume resources with a lot of SA's.

Basically, I define in the SA's the communication I want to encrypt, then define in an acl what I want to block. I never get down to a protocol or port level in SA definition. Really, that is what the split tunnel acl is doing is defining the SA.

I know that's not an answer to your question. If I get an opportunity to try it, I will post back with the results.

Community Member

Re: acl for split tuneling

Also, one more note. The split acl affects the routing table on the client PC. The route table is not per port. That doesn't mean that it couldn't work, but it would simply drop the traffic that wasn't destined to the defined port if everything else worked.

CreatePlease to create content