Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

split-tunneling access-list

Hi,

I have some troubles configuring split-tunneling on ASA 5520.

Here is the scenario:

Number of remote users establish ipsec connection with ASA 5520 (in central office) using ubuntu vpnc-client.

Split-tunneling is in use, to allow remote users to surf Internet using their ISP.

The goal is to remove the possibility to ssh/telnet servers inside corporate LAN for remote users.

Here is a part of config:

group-policy REMOTE_gp internal
group-policy REMOTE_gp attributes
  vpn-idle-timeout none
  vpn-tunnel-protocol IPSec
  group-lock none
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value REMOTE_split

tunnel-group REMOTE type remote-access

tunnel-group REMOTE general-attributes

  authentication-server-group RADIUSGR

  default-group-policy REMOTE_gp

tunnel-group REMOTE ipsec-attributes

  pre-shared-key *

  isakmp keepalive threshold 15 retry 10

aaa-server RADIUSGR protocol radius

aaa-server RADIUSGR (INSIDE_LAN) host 192.168.0.244

access-list REMOTE_split extended deny tcp 192.168.0.0 255.255.255.0 range ssh telnet any

access-list REMOTE_split extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

##192.168.100.0/24 - ip subnetwork where from Radius server allocate ip addresses to remote users##

access-list INSIDE_LAN_in extended deny tcp 192.168.0.0 255.255.255.0 eq ssh 192.168.100.0 255.255.255.0

access-list INSIDE_LAN_in extended deny tcp 192.168.0.0 255.255.255.0 eq telnet 192.168.100.0 255.255.255.0

access-list INSIDE_LAN_in extended permit ip 192.168.0.0 255.255.255.0 any

There is nat enabled on interface, but there is special statement in nat0 ACL for 192.168.100.0 subnetwork

access-list INSIDE_LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

The problem is that remote users can easely ssh and telnet servers in INSIDE_LAN network. Whatever i put in INSIDE_LAN_in ACL, remote users still have full access to this network. Restrictions in REMOTE_split ACL don't work either.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

split-tunneling access-list

You would need to configure vpn-filter instead to block telnet and ssh access as follows:

access-list remote-filter deny tcp 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 22

access-list remote-filter deny tcp 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 23

access-list remote-filter permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

group-policy REMOTE_gp attributes

   vpn-filter value remote-filter

The split tunnel acl should only have the following statement and it should be standard acl instead of extended:

access-list REMOTE_split permit 192.168.0.0 255.255.255.0

Hope that helps.

2 REPLIES
Cisco Employee

split-tunneling access-list

You would need to configure vpn-filter instead to block telnet and ssh access as follows:

access-list remote-filter deny tcp 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 22

access-list remote-filter deny tcp 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 23

access-list remote-filter permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

group-policy REMOTE_gp attributes

   vpn-filter value remote-filter

The split tunnel acl should only have the following statement and it should be standard acl instead of extended:

access-list REMOTE_split permit 192.168.0.0 255.255.255.0

Hope that helps.

Community Member

split-tunneling access-list

Thank you very much, you helped me a lot!

2556
Views
0
Helpful
2
Replies
CreatePlease to create content