I need to determine the capabilities of the split tunneling mechanism to restrict a VPN group to a single internal IP address.
Assume the following config for this example:
internal ip 192.168.1.1 255.255.255.0
Ip local pool VPNCLT 192.168.100.1-192.168.100.15
Access-list VPN-NAT-0 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.240
Nat (inside) 0 access-list VPN-NAT-0
vpngroup XXX address-pool VPNCLT
vpngroup XXX split-tunnel VPN-NAT-0
This config assigns the 192.168.100.x address to the remote clients and filters traffic for the tunnel using the NAT 0 access list. Yet the same access list filters the traffic at the other end of the tunnel, separating traffic for the internal network from all other traffic.
What then would be the form of the access list to confine traffic from the remote client to a single internal IP?
Possible solution based on general example above(assuming 192.168.1.100 is internal host)
To let IPSec packets bypass interface access lists, use the sysopt connection permit-ipsec command in global configuration mode. Group policy and per-user authorization access lists still apply to the traffic.
with this command disabled, you will need to configure inbound acl in order to permit vpn traffic.
access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...