Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Disable Split Tunneling?

Hello,

How do I Disable Split Tunneling and only allow ssh and pings from the protected networks to the Internet and vice versa? Apparently the Cisco TAC does not know how to do this because I have a trouble ticket in and no one can give me an answer. Maybe someone out here can help?

2 REPLIES
Bronze

Re: Disable Split Tunneling?

I can’t think of any way to do it either. What about asking the TAC to escalate it to a higher priority? Come back here and let me know what you come up with.

Community Member

Re: Disable Split Tunneling?

Hmm... your original post didn't give a lot of details. I'm not sure what Split Tunneling

has to do with the problem. Perhaps you can clarify?

At any rate, if you just want to allow specific traffic to and from your network, you need

only implement the appropriate filters in your firewalling device (you didn't mention

whether it was a PIX or a router or something else).

Here's a sample IOS access list that might help (note that ! indicates my comments) -

I left in what I consider to be bare ICMP functionality - you can just restrict it to echos if you'd

like, but I fear you may break something useful like Path MTU discovery :-)

! Access list 101 is applied on the "external" interface - the

assumption in this case is that

! we're touching the Internet (hence the RFC 1918 filters). We

filter anything that wasn't

! originated from the inside, or is an ICMP message. You

should substitute explicit

! subnets for "any" whenever possible.

!

! Anti-spoofing: Filter out loopback & RFC-1918 space (you may

need to allow

! RFC-1918 if the router's environment routes this traffic,

though). Last two lines deny

! traffic sourced from any broadcast address coming inbound,

as well as any traffic with

! a source address of our internal network, which we would

never expect to see anyhow.

!

access-list 101 deny ip 127.0.0.0 0.255.255.255 any log

access-list 101 deny ip 10.0.0.0 0.255.255.255 any log

access-list 101 deny ip 172.16.0.0 0.15.255.255 any log

access-list 101 deny ip 192.168.0.0 0.0.255.255 any log

access-list 101 deny ip host 255.255.255.255 any log

access-list 101 deny ip (internal net) 0.0.0.255 any log

!

! Allow ping responses, traceroute functionality, path MTU

discovery. Bare minimum

! ICMP for reasonable functionality - we could tighten this

down, but might break useful

! things.

!

access-list 101 permit icmp any (internal net) 0.0.0.255

echo-reply

access-list 101 permit icmp any (internal net) 0.0.0.255

time-exceeded

access-list 101 permit icmp any (internal net) 0.0.0.255

packet-too-big

access-list 101 permit icmp any (internal net) 0.0.0.255

traceroute

access-list 101 permit icmp any (internal net) 0.0.0.255

unreachable

!

! Permissions for established (ACK) TCP traffic to allow

return traffic. This permission

! is handled in a "smarter" fashion in IOS Firewall. You might

have to add lines to allow

! relevant stateless UDP to come back as well.

!

access-list 101 permit tcp any (internal net) 0.0.0.255

established

!

! Explicit permissions go here... in this case, we're allowing

the Internet to come in on

! port 22 to some internal host for SSH.

!

access-list 101 permit tcp any host (internal net) eq 22

!

! Add an explicit deny for administration's sake.

!

access-list 101 deny ip any log

! ACL 102 is used for network egress filtering. We only want

traffic with valid source

! addresses to exit the protected network, and only SSH and echo-requests

!

access-list 102 permit tcp (internal net) 0.0.0.255 any eq 22

access-list 102 permit icmp (internal net) 0.0.0.255 echo-request

access-list 102 deny ip any log

At any rate, hope this helps.

-rakesh

147
Views
0
Helpful
2
Replies
CreatePlease to create content