topic Split Tunnel question in Network Security

Split Tunnel question

Kevin Melton — Mon, 11 Mar 2019 19:42:38 GMT

Given the following statements which is a configuration line from one of my clients ASA boxes:

access-list split-tunnel standard permit 192.168.14.0 255.255.255.0
access-list split-tunnel standard permit 192.168.3.0 255.255.255.0
access-list split-tunnel standard permit 192.168.4.0 255.255.255.0
access-list split-tunnel standard permit 192.168.5.0 255.255.255.0
access-list split-tunnel standard permit 192.168.6.0 255.255.255.0
access-list split-tunnel standard permit 192.168.10.0 255.255.255.0
access-list split-tunnel standard permit 192.168.11.0 255.255.255.0
access-list split-tunnel standard permit 192.168.20.0 255.255.255.0
access-list split-tunnel standard permit 192.168.25.0 255.255.255.0
access-list split-tunnel standard permit 198.100.100.0 255.255.255.0
access-list split-tunnel standard permit 172.16.1.0 255.255.255.0
access-list split-tunnel standard permit 192.168.50.0 255.255.255.0

All of the networks that you see in the ACL above are inside networks. The VPN client gets assigned an IP address of 10.10.1.X. Do these statements simply allow the 10.10.1.x vpn network to talk to the listed networks in the ACL. Does this mean that this is the only traffic allowed, and that traffic such as the Remote user connecting to the Internet is handled by the ISP?

thx

Kevin

Re: Split Tunnel question

Jennifer Halim — Mon, 31 Jan 2011 16:03:07 GMT

Yes, you are absolutely correct.

Only networks in the split tunnel access-list will be encrypted and routed through the VPN tunnel from the remote client towards those specific networks. Traffic which are not specified in the access-list (eg: internet traffic) will be routed in clear text directly out through the remote client ISP/internet provider.

Re: Split Tunnel question

Kevin Melton — Mon, 31 Jan 2011 16:13:16 GMT

Thanks for the prompt response Jennifer. The next question would be, and this

is altogehter hypothetical, but if we wanted to force ALL traffic thru the VPN tunnel once the remote clien

t connected, what statement would I put on the ACL to effect this?

Thanks!

Kevin

Re: Split Tunnel question

Jennifer Halim — Mon, 31 Jan 2011 16:22:29 GMT

If you would like to send all traffic towards the VPN tunnel, then you do not need split tunnel. What you would need is called tunnelall.

Currently under the vpn client group-policy, you would have the following 2 configuration lines for split tunneling:

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

If you would like to send all traffic towards the VPN tunnel, then you would need to change the split tunnel policy to be as follows:

split-tunnel-policy tunnelall

and also remove the "split-tunnel-network-list value split-tunnel" command line.

If you are going to change it to tunnelall, how are you going to route the internet traffic from the remote vpn client pool subnet once it reaches the ASA? Will it go through an internal proxy server? or are you going to route it directly out from the ASA (u-turn on the outside interface)?

If you are going to perform u-turn on the ASA for the internet traffic from the vpn client, then you would need to configure the following as well:

same-security-traffic permit intra-interface

Then assuming that you already have a "global (outside)" statement, you would need to configure the corresponding "nat (outside)" statement for the vpn client subnet.

Hope that helps.

Re: Split Tunnel question

Kevin Melton — Mon, 31 Jan 2011 16:42:42 GMT

Jennifer

The question was hypothetical. I was simply trying to understand the technology better. We are not going to change anything at this time.

Thanks again for your responses!

Kevin