Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Split tunnel vpn remote access ASA 5520

Hi,

I'm creating a remote access vpn with split tunnel, but I'm using an extended acl to match a host and port http of destination, but is not working.

Scenario

Remote access(10.0.0.122/24) -- internet --- Cisco ASA(inside:192.168.10.1/24) --- ip=192.168.10.6 - C6509 - 10.0.0.254/24 --- host = 10.0.0.31/24

The intriguing is when I enable the service IP connection or ICMP flows worked. Does anyone have any idea what the problem? Thanks

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Split tunnel vpn remote access ASA 5520

Split tunneling doesn't take into account port information you specify in the ACL, it only cares about the ip address/networks you defined.

If you are trying to restrict access to IP and ports you should define your split tunneling with ip addresses only and use a vpn-filter acl in the group-policy to restrict it further to the specific ports you want:

access-list split_acl permit ip

access-list filter_acl permit ip eq

group-pol attributes

split-tunnel-pol tunnelspecified

split-tunnel-net value split_acl

vpn-filter value filter_acl

-heather

1 REPLY
Cisco Employee

Re: Split tunnel vpn remote access ASA 5520

Split tunneling doesn't take into account port information you specify in the ACL, it only cares about the ip address/networks you defined.

If you are trying to restrict access to IP and ports you should define your split tunneling with ip addresses only and use a vpn-filter acl in the group-policy to restrict it further to the specific ports you want:

access-list split_acl permit ip

access-list filter_acl permit ip eq

group-pol attributes

split-tunnel-pol tunnelspecified

split-tunnel-net value split_acl

vpn-filter value filter_acl

-heather

1792
Views
0
Helpful
1
Replies