Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Split-tunneling/ACL IP-conflict

Hi everyone, I'm in need of some clarification regarding a split-tunnel/acl situation that has arisen.

I want to give the user the secured route of 192.168.0.0/16 when he VPN's to the ASA5510

The user on the other hand has 192.168.1.0/24 as his home network and will get his local lan access lost when VPN'ing?

I cant exclude the 192.168.1.0/24 range in my ASA5510 ACL just for this user.

What do I do? (The user cant change his internal network) Do I tell him 'tough luck' or what? :)

Thanks

4 REPLIES
Green

Re: Split-tunneling/ACL IP-conflict

You could allow local lan access.

access-list Local_LAN_Access standard permit host 0.0.0.0

group-policy vpn attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

Also check, "Allow local lan" on the client config. Using the host 0.0.0.0 in the acl will exclude whichever local subnet the vpn user is on. The user would of course lose any access to 192.168.1.x on the remote lan.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml

Please rate helpful posts.

New Member

Re: Split-tunneling/ACL IP-conflict

Hi and thanks for the answer

a small follow up question:

Can you exclude the users internet also with a smiliar command?

And "Also check, "Allow local lan" on the client config" - Does this really affect anything? I have been trying around with it but dont notice any changes?

Thanks alot

Green

Re: Split-tunneling/ACL IP-conflict

"Can you exclude the users internet also with a smiliar command?"

-By this do you mean you want them to have internet access locally? If so, yes you can create the following, if you only want to tunnel to 10.0.1.0...

access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0

group-policy vpn attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

"And "Also check, "Allow local lan" on the client config" - Does this really affect anything? I have been trying around with it but dont notice any changes?"

-If you have created the "excludespecified" split-tunnel-policy to have local lan access you need to also check the box on the vpn client for it to work.

New Member

Re: Split-tunneling/ACL IP-conflict

Hi, I think I mislead you with my former question.

What I meant was. Can I exclude the users home network + internet at the same time?

As in 192.168.1.0/24 + his own internet? and still give him the secure routes of 192.168.0.0/16 at the same time?

I understand the difference between exclude and tunnelspecified, but you cant combine them at the same time? a bit confusing :)

thanks for the help!

441
Views
5
Helpful
4
Replies
CreatePlease to create content