Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7346
Views
0
Helpful
19
Replies

How to override split tunneling per user

Go to solution
emravnorgeno
Level 1
Level 1

‎11-06-2012 07:02 AM

Hi,

I've an ASA 5505, running at ASA 8.2(2). I'm using ASDM 6.2(5).
ASA is set up with Split Tunneling and it works perfectly.
However, for a few users, I want all traffic, including Internet traffic, routed through the ASA.
The spesific users IP address at internet should then be the same as ASA Outside address, not the client local address.
The question is therefore:
How to simple override the split tunneling at user level?
Alternatively set up an "tunnel all" group policy for the specified users?
Any adequate solution at all?

Thanks in advance,

Erik              

Labels:
0 Helpful
19 Replies 19

Go to solution
SSCH1NDLER
Level 1
Level 1
In response to emravnorgeno

‎11-12-2012 12:11 AM

Hallo Erik,

so i would say there missing somethine like :

access-list outside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.128  192.168.1.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound          <-- no nat for communication to inside

nat (outside) 1 192.168.50.0 255.255.255.128               <-- nat the first part of subnet to outside interface ip

Unfortunately i work with IOS 8.3, so there can be some misstakes in the commandline.

0 Helpful

Go to solution
emravnorgeno
Level 1
Level 1

‎11-12-2012 02:23 AM

SSCH1NDLER,

Wow! Works perfectly! Thanks a lot.

As an extra option I would like to know if it's possible to set up the "TunnelAll" policy to deny access to the inside resources (hide lan/192.168.1.0)
Combined with the previous settings the "TunnelAll" policy will then be limited to just be host of ASA outside IP.

Thanks,
Erik

0 Helpful

Go to solution
emravnorgeno
Level 1
Level 1
In response to emravnorgeno

‎11-12-2012 02:29 AM

SSCH1NDLER,

Wow! Works perfectly! Thanks a lot.

As an extra option I would like to know if it's possible to set up the "TunnelAll" policy to deny access to the inside resources (hide lan/192.168.1.0)
Combined with the previous settings the "TunnelAll" policy will then be limited to just be host of ASA outside IP.

Thanks,
Erik

0 Helpful

Go to solution
SSCH1NDLER
Level 1
Level 1
In response to emravnorgeno

‎11-12-2012 02:38 AM

Yeap it is possible.

you can bind an acl how deny traffic to your lan network.

something like:

access-list deny-to-inside permit udp 192.168.50.0 255.255.255.128 192.168.1.0 255.255.255.0 eq 53

access-list deny-to-inside deny ip any 192.168.1.0 255.255.255.0

access-list deny-to-inside permit ip any any

group-policy "RAVtunnel_1 Kopi" attributes

vpn-filter value deny-to-inside

Bye the way you should update your asdm and ios, if possible. Update versions are asa825-33-k8 and asdm 6.49.

0 Helpful

Go to solution
emravnorgeno
Level 1
Level 1
In response to SSCH1NDLER

‎11-13-2012 02:18 AM

Thanks again,

Everything works perfect!

I've now tree policies, Split, Uturn and TunnelAll. All works different, as wanted. I'm very grateful for all help that got me through this project.

Thank you very much,

Erik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents