Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3877
Views
0
Helpful
1
Replies

VPN split-tunnel and vpn-filter acl design and best practices

Madura Malwatte
Level 4
Level 4

‎11-25-2019 08:37 PM - edited ‎02-21-2020 09:43 AM

Hi all,

just looking for some design guidance and best practice on configuring the FTD/ASA VPN split-tunnel ACL with VPN-Filter ACL.

I have a corporate network that is on the 10.0.0.0/8 network. And I want users access most of the corporate network through vpn. So for my split-tunnel is it best practice to have a single entry ACL of 10.0.0.0/8 - which means any traffic destined to this network will be encrypted and sent over tunnel, and all other subnets (private and public) will route over the user's home network? Then if I wanted to restrict some access, I would use the VPN-filter to be more granular with what subnets/ports can be accessed? 

 

This leads to my other question, if users home network is also in 10.0.0.0/8 range, then this would route via the tunnel, so they wont be able to access resources on their home network?

OR is it best practice to restrict the corporate networks in the split-tunnel ACL directly if it's a whole subnet that shouldn't be accessed? For example if users are not meant to have access to 10.4.0.0/16, deny this from split-tunnel? 

0 Helpful
1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

‎11-25-2019 09:23 PM

Hi

For split tunnel, if you allow 10/8 and home network is also in a range within the 10/8, it's going to work because the routing table of the machine knows how to forward traffic within its own subnet and fire everything out of his scope It's going to forward it through the tunnel.

If you don't allow the 10/8 and going with specific subnets, everyone you need to create a subnet or allow it into the secured tunnel, you'll need to add the ace on the split acl, configure the nat exempt accordingly and so forth.
What i usually do is:
- summarize the corporate subnets for the split tunnel
- no enable bypass asa acls when possible (some customers don't want to deal with opening flows everyone and they bypass asa acls but push vpn filter to users).
- push vpn filters depending on radius authentication

Doing so, you'll be and to 1 rule fit all your subnets but not compromising with security because filtering accesses using acls.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card