topic Split tunnel VPN in Network Security

Split tunnel VPN

Liam Dwyer — Tue, 12 Mar 2019 03:07:38 GMT

This is a 2 part question...

How many split tunnel VPN's can a ASA5510 handle?

What are the necessary commands/steps to setting one up?

I have not done this in a while and I want to make I don't mess it up.

thanks

Split tunnel VPN

jumora — Wed, 20 Nov 2013 21:52:05 GMT

Configuration on the ASA is based on memory not amount but the limit of ACE within a split tunnel are the next:

Limitation with Number of Entries in a Split Tunnel ACL

There is a restriction with the number of entries in an ACL used for split tunnel. It is recommended not to use more than 50-60 ACE entries for satisfactory functionality. You are advised to implement the subnetting feature to cover a range of IP addresses.

ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

ASA 8.x : Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml

Look at the next video:

http://tools.cisco.com/squish/653799

Split tunnel VPN

Liam Dwyer — Wed, 20 Nov 2013 21:56:14 GMT

apologies this is for a business to business split tunnel vpn.

should have said that to begin with...

Split tunnel VPN

jumora — Wed, 20 Nov 2013 22:06:00 GMT

In that case I would just remove the "sysopt connection permit VPN" from the ASA and configure ACL on the interface where the tunnel terminates to filter out the traffic.

That would be my suggestion

Split tunnel VPN

Liam Dwyer — Thu, 21 Nov 2013 20:25:58 GMT

Okay but this doesnt cover all the commands to configure or set up the peer to peer, correct?

Split tunnel VPN

jumora — Thu, 21 Nov 2013 20:58:27 GMT

If you remove the sysopt connection permit VPN traffic that is related to VPN needs to be filtered through normal ACL and access-group on the interface where you configure the tunnel.

How to configure the ASA for LAN to LAN IPSec:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Value our effort and rate the assistance!

Split tunnel VPN

Julio Carvajal — Fri, 22 Nov 2013 06:28:38 GMT

Use a VPN-Filter then! Where you could even match Port-Information

Regards

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Split tunnel VPN

Marius Gunnerud — Fri, 22 Nov 2013 07:39:25 GMT

I am not sure I follow exactly what you want to do. Do you just want to set up split tunneling plain and simple, or do you want split VPN as well as restricting access to resources on your network?

Setting up split tunneling is basically done by defining the interesting traffic which is to be encrypted on a L2L setup. Here is a sample of how it would be set up on an ASA running version 8.3 or higher.

access-list cryptoACL extended permit ip 10.10.10.0 255.255.255.0 11.11.11.0 255.255.255.0

crypto ipsec ikev1 transform-set SET esp-aes esp-sha-hmac

crypto map MAP 5 match address cryptoACL

crypto map MAP 5 set peer

crypto map MAP 5 set ikev1 transform-set SET

crypto map MAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 5

authentication pre-share

encryption aes

hash sha

group 2

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

ikev1 pre-shared-key

object network LOCAL_LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE_LAN

subnet 11.11.11.0 255.255.255.0

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN

If you want to do VPN filtering then we would need to add some more commands to this.