cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3357
Views
0
Helpful
3
Replies

Cisco ASA Excluded a specific ip from the split tunneling

Hi,

I need some Help with a doubt about Split Tunneling Configuration.

I need exclude a specific ip address from the split-tunneling networks already configured.

this is my configuration:

access-list Split_Tunnel standard permit 192.168.0.0 255.255.0.0
access-list Split_Tunnel standard permit 10.0.0.0 255.0.0.0

group-policy GroupPolicy_Anyconnect_Access_Exception_1 attributes
wins-server none
dns-server value xxxxx xxxxxxx
vpn-simultaneous-logins 3
vpn-idle-timeout 480
vpn-session-timeout none
vpn-tunnel-protocol ssl-client
group-lock value Anyconnect_access
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
default-domain value xxxxx
split-dns value t380.inet telefonica wh.telefonica cic.wh.telefonica telefonica.corp
mailar.telefonica.corp mailar.telefonica.com tefgad.com telefonicaglobalsolutions.com
telefonicabusinesssolutions.com


I need exclude from the split-tunnel, the ip 10.0.0.50, my question is, if i modify the access-list denying this ip, the explit-tunnel will exclude the IP.

example:

access-list Split_Tunnel standard deny 10.0.0.50 255.255.255.255

access-list Split_Tunnel standard permit 192.168.0.0 255.255.0.0
access-list Split_Tunnel standard permit 10.0.0.0 255.0.0.0

Br,

Fidel Gonzalez

3 Replies 3

Diego Lopez
Level 1
Level 1

Hello 

I've seem this working with the deny statement on top but sometimes it doesn't work some ASA versions will ignore the deny statement, what I can suggest "in case the deny doesn't work" is to configure a VPN filter and apply it to the group policy in that way you can block access to that particular IP in your internal network.

Here is how you configure the VPN filter for a site to site but the same applies to Anyconnect the source will be your anyconnect pool and the destination will be the ip 10.0.0.50

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Regards, please rate!

Hi Diego, 

I understand that you said, but i dont wanna block the access, i want to no allow the routing, i want to deny a specific route into the split-tunneling. 

The problem is that the address 10.0.0.50 is a DNS server of  a customer that connects to the Anyconnect and after customer get connected, he can not reach his own DNS server and loss the access to internet. 

Br,

Fidel Gonzalez

I just found the information

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-736630

under New Features in Version 9.1(4)

Split-tunneling supports exclude ACLs: Split-tunneling of VPN traffic has been enhanced to support both exclude and include ACLs. Exclude ACLs were previously ignored. Note This feature requires AnyConnect Client Version 3.1.03103 or later. We did not modify any commands.

So you need to run 9.1(4) and anyconnect 3.1.03103 or later