Solved: ASA- Split-Tunnel ACL enough, or must I adjust Inteface ACL's also?

jmaxwellUSAF · ‎01-10-2023

Hello.

When routing split tunnel traffic inside the Anyconnect VPN-- in addition to the split-tunnel ACL, must I also create a standard ACL "permit" statement for this newly authorized traffic on the existing ACLs on the inside and outside interfaces?

Thank you.

Rob Ingram · ‎01-10-2023

@jmaxwellUSAF as default VPN traffic is permitted with the pre-configured command "sysopt connection permit-vpn" configured, thus the interface ACL is ignored. So no you don't need to explictly permit this traffic, unless you've unconfigured the default command.

View solution in original post

MHM Cisco World · ‎01-10-2023

friend
I know the name confuse you but split-acl is not ACL and not apply to any interface in ASA,
it called split-acl but it actually is route add to client.

for ACL you need for VPN it depend
1- sysop connection permit-vpn
2- you apply any ACL IN to INside interface

View solution in original post

Rob Ingram · ‎01-10-2023

@jmaxwellUSAF as default VPN traffic is permitted with the pre-configured command "sysopt connection permit-vpn" configured, thus the interface ACL is ignored. So no you don't need to explictly permit this traffic, unless you've unconfigured the default command.

MHM Cisco World · ‎01-10-2023

friend
I know the name confuse you but split-acl is not ACL and not apply to any interface in ASA,
it called split-acl but it actually is route add to client.

for ACL you need for VPN it depend
1- sysop connection permit-vpn
2- you apply any ACL IN to INside interface