Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1034
Views
5
Helpful
4
Replies

Split Tunnel question

Go to solution
Kevin Melton
Level 2
Level 2

‎01-31-2011 07:56 AM - edited ‎03-11-2019 12:42 PM

Given the following statements which is a configuration line from one of my clients ASA boxes:

access-list split-tunnel standard permit 192.168.14.0 255.255.255.0
access-list split-tunnel standard permit 192.168.3.0 255.255.255.0
access-list split-tunnel standard permit 192.168.4.0 255.255.255.0
access-list split-tunnel standard permit 192.168.5.0 255.255.255.0
access-list split-tunnel standard permit 192.168.6.0 255.255.255.0
access-list split-tunnel standard permit 192.168.10.0 255.255.255.0
access-list split-tunnel standard permit 192.168.11.0 255.255.255.0
access-list split-tunnel standard permit 192.168.20.0 255.255.255.0
access-list split-tunnel standard permit 192.168.25.0 255.255.255.0
access-list split-tunnel standard permit 198.100.100.0 255.255.255.0
access-list split-tunnel standard permit 172.16.1.0 255.255.255.0
access-list split-tunnel standard permit 192.168.50.0 255.255.255.0

All of the networks that you see in the ACL above are inside networks.  The VPN client gets assigned an IP address of 10.10.1.X.  Do these statements simply allow the 10.10.1.x vpn network to talk to the listed networks in the ACL.  Does this mean that this is the only traffic allowed, and that traffic such as the Remote user connecting to the Internet is handled by the ISP?

thx

Kevin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Kevin Melton

‎01-31-2011 08:22 AM

If you would like to send all traffic towards the VPN tunnel, then you do not need split tunnel. What you would need is called tunnelall.

Currently under the vpn client group-policy, you would have the following 2 configuration lines for split tunneling:

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

If you would like to send all traffic towards the VPN tunnel, then you would need to change the split tunnel policy to be as follows:

split-tunnel-policy tunnelall

and also remove the "split-tunnel-network-list value split-tunnel" command line.

If you are going to change it to tunnelall, how are you going to route the internet traffic from the remote vpn client pool subnet once it reaches the ASA? Will it go through an internal proxy server? or are you going to route it directly out from the ASA (u-turn on the outside interface)?

If you are going to perform u-turn on the ASA for the internet traffic from the vpn client, then you would need to configure the following as well:

same-security-traffic permit intra-interface

Then assuming that you already have a "global (outside)" statement, you would need to configure the corresponding "nat (outside)" statement for the vpn client subnet.

Hope that helps.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-31-2011 08:03 AM

Yes, you are absolutely correct.

Only networks in the split tunnel access-list will be encrypted and routed through the VPN tunnel from the remote client towards those specific networks. Traffic which are not specified in the access-list (eg: internet traffic) will be routed in clear text directly out through the remote client ISP/internet provider.

Go to solution
Kevin Melton
Level 2
Level 2
In response to Jennifer Halim

‎01-31-2011 08:13 AM

Thanks for the prompt response Jennifer.  The next question would be, and this

is altogehter hypothetical, but if we wanted to force ALL traffic thru the VPN tunnel once the remote clien

t connected, what statement would I put on the ACL to effect this?

Thanks!

Kevin

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Kevin Melton

‎01-31-2011 08:22 AM

If you would like to send all traffic towards the VPN tunnel, then you do not need split tunnel. What you would need is called tunnelall.

Currently under the vpn client group-policy, you would have the following 2 configuration lines for split tunneling:

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

If you would like to send all traffic towards the VPN tunnel, then you would need to change the split tunnel policy to be as follows:

split-tunnel-policy tunnelall

and also remove the "split-tunnel-network-list value split-tunnel" command line.

If you are going to change it to tunnelall, how are you going to route the internet traffic from the remote vpn client pool subnet once it reaches the ASA? Will it go through an internal proxy server? or are you going to route it directly out from the ASA (u-turn on the outside interface)?

If you are going to perform u-turn on the ASA for the internet traffic from the vpn client, then you would need to configure the following as well:

same-security-traffic permit intra-interface

Then assuming that you already have a "global (outside)" statement, you would need to configure the corresponding "nat (outside)" statement for the vpn client subnet.

Hope that helps.

0 Helpful

Go to solution
Kevin Melton
Level 2
Level 2
In response to Jennifer Halim

‎01-31-2011 08:42 AM

Jennifer

The question was hypothetical.  I was simply trying to understand the technology better.  We are not going to change anything at this time.

Thanks again for your responses!

Kevin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card