A Step Beyond Split-Tunneling between VPN Client and PIX
I am using the VPN Client 3.6.4A to connect to a PIX running 6.2(2). I have split-tunneling enabled in my 'vpngroup' settings on the PIX to restrict access on the VPN client to only a small subnet of my internal network instead of allowing access to the entire internal network. But then by doing this, I am allowing the client to connect to other sites on the Internet at the same time as they are connected to my internal network (split-tunneling).
Is there a way in this senario to allow access to only a certain subnet of my internal network via the VPN client and not allow access to the Internet (split-tunneling) at the same time?
Re: A Step Beyond Split-Tunneling between VPN Client and PIX
Yeah, just define the traffic in your nat 0 ACL. The nat 0 ACL defines the traffic that won't be NAT'd on the return path, you'll probably just have "permit all IP from your internal network to your VPN pool of addresses". A good way to filter out what people can get to is to make this ACL more restrictive. If a user tries to go to something that isn't in the nat 0 ACL, they'll be able to send a packet to whatever host it is, but the return packet will be NAT'd and then not match the crypto ACL and the return packet will be dropped.
So, turn off split tunnelling and let's say you only want users to get to 10.1.1.1 and 10.1.1.2 on your internal network, you would do:
> access-list nonat permit ip host 10.1.1.1 192.168.1.0 255.255.255.0
> access-list nonat permit ip host 10.1.1.2 192.168.1.0 255.255.255.0
> nat (inside) 0 access-list nonat
where 192.168.1.0 is your VPN pool of IP addresses. Anything from say, 10.1.1.3 will be NAT'd on its way back to the VPN client, won't be encrypted and therefore dropped.
"Choose one of the topics below to help you on your journey with NGFW/ASA"
Getting Started with Next-Generation ...
Hello! I run 188.8.131.52.When I click download updates in ASDM I get:Download updates failed: Peer certificate cannot be authenticated with known CA certificates I have 3 identical devices and all of them have the same problem.. How can I fix ...
You would like to use the ASA Firewall Umbrella Connector to enforce DNS policy with Umbrella. However you would also like to exclude certain IP addresses or subnets from using this policy. I recently had the need to do this, had a bit of tro...
Hi Everyonem Just wondering if anyone knows why I am getting an error that says "Cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect. Please contact your network administrator.". See attached...
The Cisco 2020 CISO Benchmark Report provides valuable takeaways and data on the most pressing topics: the impact of vendor consolidation, cybersecurity fatigue, outsourcing, top causes of downtime, the most impactful threats, and more. The repo...