Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
937
Views
15
Helpful
6
Replies

Adding 2 vendor IP's to an existing anyconnect "Split_Tunnel_ACL"...

Go to solution
MicJameson1
VIP Alumni
VIP Alumni

‎01-02-2023 11:07 AM - edited ‎01-02-2023 11:08 AM

GOAL: To add 2 public vendor IP addresses to an existing anyconnect "Split_Tunnel_ACL"

CONFIGURATON:

#object network MY_VPN_Pool
#subnet 172.16.1.0 255.255.255.0
#object-group network VENDOR_IP_GROUP1
#network-object host 1.2.3.4
#network-object host 1.2.3.5
#access-list Split_Tunnel_ACL extended line 50 permit ip object-group VENDOR_IP_GROUP1 object MY_VPN_Pool

Is the above correct?

Thank you!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to MicJameson1

‎01-02-2023 11:25 AM - edited ‎01-02-2023 11:26 AM

@MicJameson1 I think the destination object/network is just ignored if you use an extended ACL, it just looks at the source network. So yes I think it should be ok, though I've never used an extended ACL for split tunnels personally - not sure if any unforeseen gotchas.

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎01-02-2023 11:13 AM - edited ‎01-02-2023 11:16 AM

@MicJameson1 use a standard ACL to define the network/hosts to include in the list of split tunnel networks. https://integratingit.wordpress.com/2019/03/16/asa-split-tunnelling/

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa-split-tunnel-vpn-client.html

I assume you want to tunnelspecified, tunneling those 2 public IP addresses through the VPN.

 

Go to solution
MicJameson1
VIP Alumni
VIP Alumni
In response to Rob Ingram

‎01-02-2023 11:22 AM

I'm adding to a huge existing config that is already using an extended ACL. I agree that the standard ACL is better. I don't want to change the style now.

"I assume you want to tunnelspecified, tunneling those 2 public IP addresses through the VPN"-- yes

Does the config, as listed, look fine?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MicJameson1

‎01-02-2023 11:25 AM - edited ‎01-02-2023 11:26 AM

@MicJameson1 I think the destination object/network is just ignored if you use an extended ACL, it just looks at the source network. So yes I think it should be ok, though I've never used an extended ACL for split tunnels personally - not sure if any unforeseen gotchas.

Go to solution
MicJameson1
VIP Alumni
VIP Alumni
In response to Rob Ingram

‎01-02-2023 11:29 AM

Thank you for the data Commander Data. I will keep it in mind.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-02-2023 11:16 AM

as I know Split-ACL allow only standard ACL 
I think you talking about VPN filter not split-ACL ?

Go to solution
MicJameson1
VIP Alumni
VIP Alumni
In response to MHM Cisco World

‎01-02-2023 11:20 AM

Thanks for your reply.

I already researched that point. Extended works too, although it's less clean.

0 Helpful
Customers Also Viewed These Support Documents