topic Split Tunnel VPN in Network Security

Split Tunnel VPN

mahesh18 — Tue, 12 Mar 2019 03:26:43 GMT

Hi Everyone,

When we use Remote VPN to connect to Company Network and tunnel is build up and we can access the company resources.

When we need to access the internet it checks the ACL in the ASA and point it to outside world.

Need to confirm this technology is called Split VPN?

What command i can run on ASA to check if split tunnel is used?

Or should o look for ACL?

Regards

MAhesh

Split Tunnel VPN

Julio Carvajal — Wed, 08 Jan 2014 18:48:40 GMT

No need to check ACL for the outside interface (unless direction out)

Split Tunnel will let you configure which traffic will be sent over the VPN tunnel.

So if you want to send all traffic via the tunnel leave it default. If is not the case configure an ACL and include only the IP destination address that traffic will be sent via the Tunnel

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Split Tunnel VPN

Jouni Forss — Wed, 08 Jan 2014 20:00:50 GMT

Hi,

To determine whether you are using Split Tunnel or Full Tunnel VPN and you want to determine that through the ASA configurations you should first list the "tunnel-group" configurations

show run tunnel-group

This will list all the different type of VPN configurations on your ASA (Even the L2L VPN between sites)

Next you should find the "tunnel-group" that you are using for the VPN Client

When you find the "tunnel-group" that you are using then you should check if it has a the following value under it

tunnel-group general-attributes

default-group-policy

If it has the "default-group-policy" set then you have to check the that "group-policy" configuration with command

show run group-policy

This will possibly list following values

split-tunnel-policy tunneall

split-tunnel-policy tunnelspecified

split-tunnel-network-list

Naturally of the above the first clearly shows that Full Tunnel VPN would be used an all traffic would be sent through the VPN. I also think that if the "group-policy" doesnt make any mention of the above configurations it will also mean that you are using Full Tunnel VPN.

The second output would tell you that you are tunneling only specific networks that are defined in the ACL used in the second command. This would naturally be called Split Tunnel VPN

I would also take note that if using LOCAL authentication on the ASA for the VPN user then the "group-policy" could be attached even to the "username"

You could check if its so with the command

show run username

You could naturally also tell which type of VPN you are using simply connecting the VPN connection and finding the Routes/Secured Routes section and look at the Secured Routes output.

If it only mentions 0.0.0.0 then its Full Tunnel
If it mentions specific networks its Split Tunnel

You are saying that when you are trying to access the Internet from the VPN Client you can see an ACL being checked on the ASA and traffic sent to the external/public network? If this is true it would seem that you are using Full Tunnel VPN if even Internet traffic is coming through the VPN Connection first.

You seeing an ACL check would also mean that you have configured the ASA in a way that even incoming connections through a VPN are being checked against ACL. This might be an interface ACL on the "outside" or perhaps a VPN Filter configuration?

- Jouni

Split Tunnel VPN

mahesh18 — Wed, 08 Jan 2014 21:08:17 GMT

Hi Jouni,

Going step by step

sh run tunnel-group shows

tunnel-group TunnelGroupX type remote-access

tunnel-group GrpX type remote-access

tunnel-group GrpX general-attributes

tunnel-group GrpCorp001 type remote-access

tunnel-group GrpCorp001 general-attributes

default-group-policy CorpGroupPolicy

tunnel-group GrpCorp001 ipsec-attributes

Seems it has 2 tunnel groups which are defined right?

Also it has single default policy so this policy is used by all the VPN clients right?

I checked

show run group-policy

does not show split tunnel anywhere so seems all Internet traffic is going via Corp Network right?

Regards

MAhesh

Split Tunnel VPN

Jouni Forss — Wed, 08 Jan 2014 21:18:18 GMT

Hi,

It seems there is 3 "tunnel-group" above for "remote-access"

2 of them seem to have no "group-policy" so they use the default one on the ASA that unchanged means Full Tunnel

1 of the "tunnel-group" has a "group-policy" and it doesnt seem to list any Split Tunnel configurations I mentioned above so it would mean its Full Tunnel too.

It would seem all 3 "tunnel-group" are therefore using Full Tunnel

- Jouni

Split Tunnel VPN

mahesh18 — Wed, 08 Jan 2014 21:30:44 GMT

Hi Jouni,

When i use Remote VPN to connect how can i know which tunnel group i will be hitting?

Regards

Mahesh

Split Tunnel VPN

Jouni Forss — Wed, 08 Jan 2014 21:41:50 GMT

It depends,

If you are using AnyConnect SSL VPN Client then you would typically see the "tunnel-group" name if in the AnyConnect VPN Clients drop down menu when you are connecting to the ASA. Though I guess the name might even be an alias for the "tunnel-group" name also.

If you are using the Cisco VPN Client (IPsec Client) then the "tunnel-group" is configured under the Connection Entry

Here is the Main Window

Choose the Connection Entry that you are using and click the Modify -button above

As you can see from the above, the "Name" field contains the name of the "tunnel-group" used. The value inserted to the "Password" fields would be the Pre Shared Key that you have configured in the "tunnel-group" on the ASA

Hope this helps

- Jouni

Split Tunnel VPN

mahesh18 — Wed, 08 Jan 2014 21:53:55 GMT

Hi Jouni,

Yes i saw the name when i click on modify.

Seems its lot of info for today.

Best regards

MAhesh