cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
372
Views
5
Helpful
2
Replies
Beginner

Split tunnel and extended ACL query

Hello,

 

I am encountering an issue where when using an extended ACL as the network list for a VPN policy, the destinations are not appearing in the 'Secured Routes (IPV4)' within the AnyConnect client. And therefore they are being routed outside of the VPN, which does not work as they're internal routes.

 

The reason I need to use an extended ACL is because I would like to restrict connected clients to particular ports for networks local to the ASA hosting the VPN.

 

I do have this working for another VPN profile, however the difference is that in the working profile, I am tunneling all networks. In the non-working profile, I need to tunnel only the networks in the ACL, as we need standard external traffic to be excluded from the VPN to prevent wasted bandwidth on our external interfaces.

 

So my question is, is it possible to use split-tunneling with extended ACL, or is this a limitation on the ASA?

 

Thanks,
Daryl

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

Re: Split tunnel and extended ACL query

Hello,

 

split tunnel purpose is to push a reverse route to the client, this wont work with a extended acl and actually, even if you define it, it wont solve the purpose. If you wish to define the port restriction, you can use vpn filter:

 

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

 

HTH

AJ

View solution in original post

2 REPLIES 2
Highlighted
Rising star

Re: Split tunnel and extended ACL query

Hello,

 

split tunnel purpose is to push a reverse route to the client, this wont work with a extended acl and actually, even if you define it, it wont solve the purpose. If you wish to define the port restriction, you can use vpn filter:

 

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

 

HTH

AJ

View solution in original post

Beginner

Re: Split tunnel and extended ACL query

Hi Ajay,

Excellent, VPN-Filter combined with a standard ACL for the split tunnel resolved this.

Many thanks,
Daryl