11-25-2019 08:37 PM - edited 02-21-2020 09:43 AM
Hi all,
just looking for some design guidance and best practice on configuring the FTD/ASA VPN split-tunnel ACL with VPN-Filter ACL.
I have a corporate network that is on the 10.0.0.0/8 network. And I want users access most of the corporate network through vpn. So for my split-tunnel is it best practice to have a single entry ACL of 10.0.0.0/8 - which means any traffic destined to this network will be encrypted and sent over tunnel, and all other subnets (private and public) will route over the user's home network? Then if I wanted to restrict some access, I would use the VPN-filter to be more granular with what subnets/ports can be accessed?
This leads to my other question, if users home network is also in 10.0.0.0/8 range, then this would route via the tunnel, so they wont be able to access resources on their home network?
OR is it best practice to restrict the corporate networks in the split-tunnel ACL directly if it's a whole subnet that shouldn't be accessed? For example if users are not meant to have access to 10.4.0.0/16, deny this from split-tunnel?
11-25-2019 09:23 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide