https://community.cisco.com/t5/network-security/webvpn-split-tunnel-w-extended-acl/m-p/1009202#M918781 <HTML><HEAD></HEAD><BODY><P>So I found a fix....</P><P></P><P>You need to define and match on a standard wide open network and or host acl and then use the 'vpn-filter value' command to get granular on the standard one you created. If that doesn't make sense here's the config....</P><P></P><P>ASA# sh run | begin group-policy Company-ABC-WebVPN internal</P><P>group-policy Company-ABC-WebVPN internal</P><P>group-policy Company-ABC-WebVPN attributes</P><P> dns-server value 192.168.0.21 192.168.0.11</P><P> vpn-access-hours none</P><P> vpn-simultaneous-logins 10</P><P> vpn-filter value Company-ABC-Access-VPN-Network-List</P><P> vpn-tunnel-protocol webvpn</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value Company-ABC-NONSPECIFIC-Access-VPN-Network-List</P><P> address-pools value Remote-Access-VPN-Pool</P><P> webvpn</P><P> functions url-entry file-access file-entry file-browsing port-forward auto-download</P><P> url-list value Company-ABC</P><P> port-forward value Company-ABC-Access</P><P> port-forward-name value Application Access</P><P> svc enable</P><P> svc keep-installer installed</P><P>!</P><P>access-list Company-ABC-Access-VPN-Network-List remark Allow VPN Access to Demo-DMZ</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 5802</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 5902</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 8080</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq ssh</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 5802</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 5902</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 8080</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq ssh</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.148 eq 3389</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.131 eq 3389</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.135 eq 3389</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 192.168.0.11 eq domain</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 192.168.0.21 eq domain</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit udp any host 192.168.0.11 eq domain</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit udp any host 192.168.0.21 eq domain</P><P>!</P><P>access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List remark Allow VPN Access to Demo-DMZ</P><P>access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit 1.1.1.128 255.255.255.224</P><P>access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit host 192.168.0.21</P><P>access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit host 192.168.0.11</P><P>!</P><P></P><P>thx,</P><P>scott</P></BODY></HTML> Sat, 07 Jun 2008 17:28:26 GMT scottlivingston 2008-06-07T17:28:26Z https://community.cisco.com/t5/network-security/webvpn-split-tunnel-w-extended-acl/m-p/1009201#M918780 <P>ASA 7.2.3 code / ASDM 5.2</P><P>Yesterday I converted a customer from the WebVPN portal to the SVC client (sslclient-win-1.1.4.179). I must of spent 2hrs trying to figure out why the split tunneling wasn't working. I had the acl configured for the tunnel networks and had it tied to the group policy - nothing I tried seemed to fix this problem! The SVC client said that split tunneling was NOT enabled and I confirmed that all client traffic was in fact being tunneled via this VPN policy.</P><P></P><P>It wasn't until someone pointed out to me that they remember a problem w/ matching on extended acl's vs just a standard network acl. I converted the extended acl to a standard and WOLA it worked!</P><P></P><P>So, now I'm at a standstill I do not want to configure it this way as I want to be very granular in what is allowed to specific machines - rather than just opening up specific host(s) and or network(s).</P><P></P><P>Is this a bug? How can I configure this so that I'm only allowing specific protocols to specific hosts?</P><P></P><P>BTW: the only reason I converted this customer over was the fact that DEP in SP2 Windows was jacking up their connectivity. There is a bug out there on this w/ CSD 3.1.1.45.</P><P></P><P>Thank You,</P><P>scott</P><P></P> Mon, 11 Mar 2019 12:56:19 GMT https://community.cisco.com/t5/network-security/webvpn-split-tunnel-w-extended-acl/m-p/1009201#M918780 scottlivingston 2019-03-11T12:56:19Z https://community.cisco.com/t5/network-security/webvpn-split-tunnel-w-extended-acl/m-p/1009202#M918781 <HTML><HEAD></HEAD><BODY><P>So I found a fix....</P><P></P><P>You need to define and match on a standard wide open network and or host acl and then use the 'vpn-filter value' command to get granular on the standard one you created. If that doesn't make sense here's the config....</P><P></P><P>ASA# sh run | begin group-policy Company-ABC-WebVPN internal</P><P>group-policy Company-ABC-WebVPN internal</P><P>group-policy Company-ABC-WebVPN attributes</P><P> dns-server value 192.168.0.21 192.168.0.11</P><P> vpn-access-hours none</P><P> vpn-simultaneous-logins 10</P><P> vpn-filter value Company-ABC-Access-VPN-Network-List</P><P> vpn-tunnel-protocol webvpn</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value Company-ABC-NONSPECIFIC-Access-VPN-Network-List</P><P> address-pools value Remote-Access-VPN-Pool</P><P> webvpn</P><P> functions url-entry file-access file-entry file-browsing port-forward auto-download</P><P> url-list value Company-ABC</P><P> port-forward value Company-ABC-Access</P><P> port-forward-name value Application Access</P><P> svc enable</P><P> svc keep-installer installed</P><P>!</P><P>access-list Company-ABC-Access-VPN-Network-List remark Allow VPN Access to Demo-DMZ</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 5802</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 5902</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq 8080</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.145 eq ssh</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 5802</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 5902</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq 8080</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.147 eq ssh</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.148 eq 3389</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.131 eq 3389</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 1.1.1.135 eq 3389</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 192.168.0.11 eq domain</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit tcp any host 192.168.0.21 eq domain</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit udp any host 192.168.0.11 eq domain</P><P>access-list Company-ABC-Access-VPN-Network-List extended permit udp any host 192.168.0.21 eq domain</P><P>!</P><P>access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List remark Allow VPN Access to Demo-DMZ</P><P>access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit 1.1.1.128 255.255.255.224</P><P>access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit host 192.168.0.21</P><P>access-list Company-ABC-NONSPECIFIC-Access-VPN-Network-List standard permit host 192.168.0.11</P><P>!</P><P></P><P>thx,</P><P>scott</P></BODY></HTML> Sat, 07 Jun 2008 17:28:26 GMT https://community.cisco.com/t5/network-security/webvpn-split-tunnel-w-extended-acl/m-p/1009202#M918781 scottlivingston 2008-06-07T17:28:26Z https://community.cisco.com/t5/network-security/webvpn-split-tunnel-w-extended-acl/m-p/1009203#M918784 <HTML><HEAD></HEAD><BODY><P>I was having the exact same problem. So glad I found your post. Works great!</P></BODY></HTML> Thu, 31 Jul 2008 16:00:04 GMT https://community.cisco.com/t5/network-security/webvpn-split-tunnel-w-extended-acl/m-p/1009203#M918784 kristyorr 2008-07-31T16:00:04Z https://community.cisco.com/t5/network-security/webvpn-split-tunnel-w-extended-acl/m-p/1009204#M918786 <HTML><HEAD></HEAD><BODY><P>Awesome - glad it helped. We have tied this to others and it's still a solid solution for us as well.</P><P></P><P>scott</P><P></P></BODY></HTML> Thu, 31 Jul 2008 16:14:44 GMT https://community.cisco.com/t5/network-security/webvpn-split-tunnel-w-extended-acl/m-p/1009204#M918786 scottlivingston 2008-07-31T16:14:44Z