ASA

pitchaimani.kamal · ‎05-23-2016

Hi Guys,

Looking to configure the split-tunnel for Any connect VPN.

Need to configure the access-list as, access-list name standard deny host 0.0.0.0 in asa 9.4(1)

while giving this command its showing invalid IP address, but after giving this command if i give question mark its showing cr.

Aditya Ganjoo · ‎05-23-2016

Hi,

May I know what is the exact requirement to configure this deny statement ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

pitchaimani.kamal · ‎05-23-2016

Hi Aditya,

This is regards to deny the LAN traffic. Let me say you from the beginning.

An remote user(extra-net) is accessing the internal(Organization) resources through Cisco any connect VPN.

After connecting with VPN, I want to encrypt the user's Internet traffic, intranet traffic only, not his LAN traffic. LAN traffic which means the same user, is taking the RDP of another user. For example the user is using from their home so that the user can take a RDP of another user as well as can also connect VPN.

Regards,

G.Pitchaimani

Aditya Ganjoo · ‎05-23-2016

Hi,

You can use exclude specified split tunneling.

Check the following link for more info:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html

Regards,

Aditya

Please rate helpful posts and mark correct answers.

pitchaimani.kamal · ‎05-23-2016

Hi,

we are using the ASA 5585 with the version of 9.4(1), here we cannot able to deploy the access-list as, access-list access_name standard deny/permit host 0.0.0.0

Regards,

G.Pitchaimani

Aditya Ganjoo · ‎05-23-2016

Hi,

I was able to do that at my end.

May I know what error do you get while doing so ?

Also could you share the config snippet for the group-policy ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

pitchaimani.kamal · ‎05-24-2016

Hi,

I cant able to deploy the access-list with the deny host 0.0.0.0

access-list access_list_name standard deny host 0.0.0.0

group-policy group_policy_name attributes

split−tunnel−policy tunnelspecified

split−tunnel−network−list value access_list_name

Regards,

G.Pitchaimani

pitchaimani.kamal · ‎05-24-2016

Hi Aditya, Kindly find the attachment for the error message what we are getting. we are using the ASA 5585 series with the OS version of 9.4.1 Regards, G.Pitchaimani

Aditya Ganjoo · ‎05-24-2016

Hi,

You are hitting this bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu48626/?reffering_site=dumpcr

You can use the workaround mentioned in the bug.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

pitchaimani.kamal · ‎05-24-2016

Hi,

we have tried with host 0.0.0.0 or host ::, it is not working and tried with adding a object network and that is also not working .

Regards,

G.Pitchaimani

Aditya Ganjoo · ‎05-24-2016

Hi,

In that case please upgrade to the recommended version and check.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

pitchaimani.kamal · ‎05-25-2016

Hi,

we are using the OS version of 9.4.1

Regards,

G.Pitchaimani

Aditya Ganjoo · ‎05-25-2016

Hi,

Recommended version is 9.4.2.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

pitchaimani.kamal · ‎05-25-2016

Hi, Is there any alternate way other than upgrading the OS version. Regards, G.Pitchaimani