cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
771
Views
5
Helpful
4
Replies

Split-tunneling/ACL IP-conflict

azore2007
Level 1
Level 1

Hi everyone, I'm in need of some clarification regarding a split-tunnel/acl situation that has arisen.

I want to give the user the secured route of 192.168.0.0/16 when he VPN's to the ASA5510

The user on the other hand has 192.168.1.0/24 as his home network and will get his local lan access lost when VPN'ing?

I cant exclude the 192.168.1.0/24 range in my ASA5510 ACL just for this user.

What do I do? (The user cant change his internal network) Do I tell him 'tough luck' or what? :)

Thanks

4 Replies 4

acomiskey
Level 10
Level 10

You could allow local lan access.

access-list Local_LAN_Access standard permit host 0.0.0.0

group-policy vpn attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

Also check, "Allow local lan" on the client config. Using the host 0.0.0.0 in the acl will exclude whichever local subnet the vpn user is on. The user would of course lose any access to 192.168.1.x on the remote lan.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml

Please rate helpful posts.

Hi and thanks for the answer

a small follow up question:

Can you exclude the users internet also with a smiliar command?

And "Also check, "Allow local lan" on the client config" - Does this really affect anything? I have been trying around with it but dont notice any changes?

Thanks alot

"Can you exclude the users internet also with a smiliar command?"

-By this do you mean you want them to have internet access locally? If so, yes you can create the following, if you only want to tunnel to 10.0.1.0...

access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0

group-policy vpn attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

"And "Also check, "Allow local lan" on the client config" - Does this really affect anything? I have been trying around with it but dont notice any changes?"

-If you have created the "excludespecified" split-tunnel-policy to have local lan access you need to also check the box on the vpn client for it to work.

Hi, I think I mislead you with my former question.

What I meant was. Can I exclude the users home network + internet at the same time?

As in 192.168.1.0/24 + his own internet? and still give him the secure routes of 192.168.0.0/16 at the same time?

I understand the difference between exclude and tunnelspecified, but you cant combine them at the same time? a bit confusing :)

thanks for the help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: