We have a group of VPN users that is connecting to the vpn using at least Cisco VPN 5.0.01.0600 or newer. Once connected to the VPN they do not have access to the internet and we would like to keep it this way for security reason. This group of vpn users now have additional needs. This vpn group needs to stay connected to the vpn and not loose connectivity to a particular range of network internally (a peer to peer non routable address) Thru research it appears that we can specify the allowed network on the split tunnel. Our goal is to allow this group of users connectivity to the range of IP's when connecting the the VPN and to exclude the internet at large.
Does anyone have pointers for me or would know of any issues I would run into? Should I be worried about split DNS?
You can create a group-policy where you define if you want to tunnel all traffic (no split tunneling), tunnel just specified networks (split tunneling), or just exclude a list of networks.
Under the group-policy, you specify the split-tunnel-policy and then the split-tunnel-list/
ASA(config-group-policy)# split-tunnel-policy ?
group-policy mode commands/options: excludespecified Exclude only networks specified by split-tunnel-network-list tunnelall Tunnel everything tunnelspecified Tunnel only networks specified by split-tunnel-network-list
Basically this involves installing routes on the clients. You'll have to configure a split-tunnel-network-list longhand to define all networks except their internal network. You cannot IIRC use deny statements in that access list.
The way it works I've described here, and it will only work for certain clients:
Also, I recently discovered that using "no sysopt connection permit-vpn" breaks this, and so far I cannot figure out if there is a solution by adding ACEs to interfaces/crypto-maps/etc (the obvious one does not work.)
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...