07-11-2001 11:54 AM - edited 03-08-2019 08:28 PM
Hello,
How do I Disable Split Tunneling and only allow ssh and pings from the protected networks to the Internet and vice versa? Apparently the Cisco TAC does not know how to do this because I have a trouble ticket in and no one can give me an answer. Maybe someone out here can help?
07-18-2001 01:57 PM
I cant think of any way to do it either. What about asking the TAC to escalate it to a higher priority? Come back here and let me know what you come up with.
07-23-2001 11:58 PM
Hmm... your original post didn't give a lot of details. I'm not sure what Split Tunneling
has to do with the problem. Perhaps you can clarify?
At any rate, if you just want to allow specific traffic to and from your network, you need
only implement the appropriate filters in your firewalling device (you didn't mention
whether it was a PIX or a router or something else).
Here's a sample IOS access list that might help (note that ! indicates my comments) -
I left in what I consider to be bare ICMP functionality - you can just restrict it to echos if you'd
like, but I fear you may break something useful like Path MTU discovery :-)
! Access list 101 is applied on the "external" interface - the
assumption in this case is that
! we're touching the Internet (hence the RFC 1918 filters). We
filter anything that wasn't
! originated from the inside, or is an ICMP message. You
should substitute explicit
! subnets for "any" whenever possible.
!
! Anti-spoofing: Filter out loopback & RFC-1918 space (you may
need to allow
! RFC-1918 if the router's environment routes this traffic,
though). Last two lines deny
! traffic sourced from any broadcast address coming inbound,
as well as any traffic with
! a source address of our internal network, which we would
never expect to see anyhow.
!
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip (internal net) 0.0.0.255 any log
!
! Allow ping responses, traceroute functionality, path MTU
discovery. Bare minimum
! ICMP for reasonable functionality - we could tighten this
down, but might break useful
! things.
!
access-list 101 permit icmp any (internal net) 0.0.0.255
echo-reply
access-list 101 permit icmp any (internal net) 0.0.0.255
time-exceeded
access-list 101 permit icmp any (internal net) 0.0.0.255
packet-too-big
access-list 101 permit icmp any (internal net) 0.0.0.255
traceroute
access-list 101 permit icmp any (internal net) 0.0.0.255
unreachable
!
! Permissions for established (ACK) TCP traffic to allow
return traffic. This permission
! is handled in a "smarter" fashion in IOS Firewall. You might
have to add lines to allow
! relevant stateless UDP to come back as well.
!
access-list 101 permit tcp any (internal net) 0.0.0.255
established
!
! Explicit permissions go here... in this case, we're allowing
the Internet to come in on
! port 22 to some internal host for SSH.
!
access-list 101 permit tcp any host (internal net) eq 22
!
! Add an explicit deny for administration's sake.
!
access-list 101 deny ip any log
! ACL 102 is used for network egress filtering. We only want
traffic with valid source
! addresses to exit the protected network, and only SSH and echo-requests
!
access-list 102 permit tcp (internal net) 0.0.0.255 any eq 22
access-list 102 permit icmp (internal net) 0.0.0.255 echo-request
access-list 102 deny ip any log
At any rate, hope this helps.
-rakesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide