01-08-2014 09:41 AM - edited 03-11-2019 08:26 PM
Hi Everyone,
When we use Remote VPN to connect to Company Network and tunnel is build up and we can access the company resources.
When we need to access the internet it checks the ACL in the ASA and point it to outside world.
Need to confirm this technology is called Split VPN?
What command i can run on ASA to check if split tunnel is used?
Or should o look for ACL?
Regards
MAhesh
Solved! Go to Solution.
01-08-2014 10:48 AM
No need to check ACL for the outside interface (unless direction out)
Split Tunnel will let you configure which traffic will be sent over the VPN tunnel.
So if you want to send all traffic via the tunnel leave it default. If is not the case configure an ACL and include only the IP destination address that traffic will be sent via the Tunnel
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-08-2014 12:00 PM
Hi,
To determine whether you are using Split Tunnel or Full Tunnel VPN and you want to determine that through the ASA configurations you should first list the "tunnel-group" configurations
show run tunnel-group
This will list all the different type of VPN configurations on your ASA (Even the L2L VPN between sites)
Next you should find the "tunnel-group" that you are using for the VPN Client
When you find the "tunnel-group" that you are using then you should check if it has a the following value under it
tunnel-group
default-group-policy
If it has the "default-group-policy" set then you have to check the that "group-policy" configuration with command
show run group-policy
This will possibly list following values
split-tunnel-policy tunneall
or
split-tunnel-policy tunnelspecified
split-tunnel-network-list
Naturally of the above the first clearly shows that Full Tunnel VPN would be used an all traffic would be sent through the VPN. I also think that if the "group-policy" doesnt make any mention of the above configurations it will also mean that you are using Full Tunnel VPN.
The second output would tell you that you are tunneling only specific networks that are defined in the ACL used in the second command. This would naturally be called Split Tunnel VPN
I would also take note that if using LOCAL authentication on the ASA for the VPN user then the "group-policy" could be attached even to the "username"
You could check if its so with the command
show run username
You could naturally also tell which type of VPN you are using simply connecting the VPN connection and finding the Routes/Secured Routes section and look at the Secured Routes output.
You are saying that when you are trying to access the Internet from the VPN Client you can see an ACL being checked on the ASA and traffic sent to the external/public network? If this is true it would seem that you are using Full Tunnel VPN if even Internet traffic is coming through the VPN Connection first.
You seeing an ACL check would also mean that you have configured the ASA in a way that even incoming connections through a VPN are being checked against ACL. This might be an interface ACL on the "outside" or perhaps a VPN Filter configuration?
- Jouni
01-08-2014 01:18 PM
Hi,
It seems there is 3 "tunnel-group" above for "remote-access"
2 of them seem to have no "group-policy" so they use the default one on the ASA that unchanged means Full Tunnel
1 of the "tunnel-group" has a "group-policy" and it doesnt seem to list any Split Tunnel configurations I mentioned above so it would mean its Full Tunnel too.
It would seem all 3 "tunnel-group" are therefore using Full Tunnel
- Jouni
01-08-2014 01:41 PM
It depends,
If you are using AnyConnect SSL VPN Client then you would typically see the "tunnel-group" name if in the AnyConnect VPN Clients drop down menu when you are connecting to the ASA. Though I guess the name might even be an alias for the "tunnel-group" name also.
If you are using the Cisco VPN Client (IPsec Client) then the "tunnel-group" is configured under the Connection Entry
Here is the Main Window
Choose the Connection Entry that you are using and click the Modify -button above
As you can see from the above, the "Name" field contains the name of the "tunnel-group" used. The value inserted to the "Password" fields would be the Pre Shared Key that you have configured in the "tunnel-group" on the ASA
Hope this helps
- Jouni
01-08-2014 10:48 AM
No need to check ACL for the outside interface (unless direction out)
Split Tunnel will let you configure which traffic will be sent over the VPN tunnel.
So if you want to send all traffic via the tunnel leave it default. If is not the case configure an ACL and include only the IP destination address that traffic will be sent via the Tunnel
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-08-2014 12:00 PM
Hi,
To determine whether you are using Split Tunnel or Full Tunnel VPN and you want to determine that through the ASA configurations you should first list the "tunnel-group" configurations
show run tunnel-group
This will list all the different type of VPN configurations on your ASA (Even the L2L VPN between sites)
Next you should find the "tunnel-group" that you are using for the VPN Client
When you find the "tunnel-group" that you are using then you should check if it has a the following value under it
tunnel-group
default-group-policy
If it has the "default-group-policy" set then you have to check the that "group-policy" configuration with command
show run group-policy
This will possibly list following values
split-tunnel-policy tunneall
or
split-tunnel-policy tunnelspecified
split-tunnel-network-list
Naturally of the above the first clearly shows that Full Tunnel VPN would be used an all traffic would be sent through the VPN. I also think that if the "group-policy" doesnt make any mention of the above configurations it will also mean that you are using Full Tunnel VPN.
The second output would tell you that you are tunneling only specific networks that are defined in the ACL used in the second command. This would naturally be called Split Tunnel VPN
I would also take note that if using LOCAL authentication on the ASA for the VPN user then the "group-policy" could be attached even to the "username"
You could check if its so with the command
show run username
You could naturally also tell which type of VPN you are using simply connecting the VPN connection and finding the Routes/Secured Routes section and look at the Secured Routes output.
You are saying that when you are trying to access the Internet from the VPN Client you can see an ACL being checked on the ASA and traffic sent to the external/public network? If this is true it would seem that you are using Full Tunnel VPN if even Internet traffic is coming through the VPN Connection first.
You seeing an ACL check would also mean that you have configured the ASA in a way that even incoming connections through a VPN are being checked against ACL. This might be an interface ACL on the "outside" or perhaps a VPN Filter configuration?
- Jouni
01-08-2014 01:08 PM
Hi Jouni,
Going step by step
sh run tunnel-group shows
tunnel-group TunnelGroupX type remote-access
tunnel-group GrpX type remote-access
tunnel-group GrpX general-attributes
tunnel-group GrpCorp001 type remote-access
tunnel-group GrpCorp001 general-attributes
default-group-policy CorpGroupPolicy
tunnel-group GrpCorp001 ipsec-attributes
Seems it has 2 tunnel groups which are defined right?
Also it has single default policy so this policy is used by all the VPN clients right?
I checked
show run group-policy
does not show split tunnel anywhere so seems all Internet traffic is going via Corp Network right?
Regards
MAhesh
01-08-2014 01:18 PM
Hi,
It seems there is 3 "tunnel-group" above for "remote-access"
2 of them seem to have no "group-policy" so they use the default one on the ASA that unchanged means Full Tunnel
1 of the "tunnel-group" has a "group-policy" and it doesnt seem to list any Split Tunnel configurations I mentioned above so it would mean its Full Tunnel too.
It would seem all 3 "tunnel-group" are therefore using Full Tunnel
- Jouni
01-08-2014 01:30 PM
Hi Jouni,
When i use Remote VPN to connect how can i know which tunnel group i will be hitting?
Regards
Mahesh
01-08-2014 01:41 PM
It depends,
If you are using AnyConnect SSL VPN Client then you would typically see the "tunnel-group" name if in the AnyConnect VPN Clients drop down menu when you are connecting to the ASA. Though I guess the name might even be an alias for the "tunnel-group" name also.
If you are using the Cisco VPN Client (IPsec Client) then the "tunnel-group" is configured under the Connection Entry
Here is the Main Window
Choose the Connection Entry that you are using and click the Modify -button above
As you can see from the above, the "Name" field contains the name of the "tunnel-group" used. The value inserted to the "Password" fields would be the Pre Shared Key that you have configured in the "tunnel-group" on the ASA
Hope this helps
- Jouni
01-08-2014 01:53 PM
Hi Jouni,
Yes i saw the name when i click on modify.
Seems its lot of info for today.
Best regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide