12-12-2006 03:04 PM
Hi Sir,
I'm configuring an ASA to terminate remote access VPNs. ASA version is 7.2(1)24. VPN Client version is 4.6.04.
I want to tunnel all user traffic to the ASA except for traffic to destination network 10.200.75.0/24.
My config as follows:
!
access-list ACL_SPLIT_TUN standard deny 10.200.75.0 255.255.255.0
access-list ACL_SPLIT_TUN standard permit any
!
group-policy GROUP1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_SPLIT_TUN
!
The above config does not accomplish what I want when tested in production. Let me know if I have configured it incorrectly.
Please help.
Thank you.
B.Rgds,
Lim TS
Solved! Go to Solution.
12-13-2006 11:16 PM
Hi Lim,
it seems this is not a valid solution.. Your question was to deny the traffic onto the split tunnels... The answer
to this is no. None of the clients understand a deny, and therefore deny is not a valid syntax for the split tunnel list.
Hope this helps.. all the best .. rate replies if found useful..
Raj
12-12-2006 07:22 PM
hello Lim,
your config seems OK and really logical. but this seems to be a strange scenario.. there are normally only "permit" statements on the split-tunnel lists and the rest are implicit deny's.. your case is exactly opposite.. just test one thing.. instead of the deny at the top, put permit to some networks (1 or 2 networks) and see if it comes on the split tunnel list on your client.. if it comes, i guess this is the only way of doing it.. not really sure if deny is possible there then.
what do you see on the statistics of your vpn client with ur present config? are u seeing any routes on the 'secured routes' section of your client? any log messages?
Raj
12-13-2006 02:48 AM
Hi Raj,
Yeah, my scenario is a bit strange. It is what required by my customer in their unique environment.
With my config, under "Secured Routes", I saw only one entry: 0.0.0.0 (Network) 0.0.0.0 (Subnet Mask).
When I disable split tunneling (by tunneling all traffic to ASA) using the following config, I also see 0.0.0.0 (Network) 0.0.0.0 (Subnet Mask).
!
group-policy GROUP1 attributes
split-tunnel-policy tunnelall
!
My guess is, the VPN Client has no way to include the "deny 10.200.75.0 255.255.255.0" into its list of Secured Routes.
With regards to your suggestion, I already had a similar setup (only permit statements) in my customer's network. True, the network permitted by the ACL appears in the Secured Routes list.
Any thoughts?
Thank you.
B.Rgds,
Lim TS
12-13-2006 11:16 PM
Hi Lim,
it seems this is not a valid solution.. Your question was to deny the traffic onto the split tunnels... The answer
to this is no. None of the clients understand a deny, and therefore deny is not a valid syntax for the split tunnel list.
Hope this helps.. all the best .. rate replies if found useful..
Raj
01-04-2007 01:28 PM
Hi Raj,
Back to my case, which is, I'm trying to tunnel all user traffic to the ASA except for traffic to destination network 10.200.75.0/24.
Instead of using "tunnelspecified", can using "excludespecified" accomplish my requirement, as follows:
!
access-list ACL_EXCLUDE standard permit 10.200.75.0 255.255.255.0
!
group-policy GROUP1 attributes
split-tunnel-policy excludespecified
split-tunnel-network-list value ACL_EXCLUDE
!
I haven't tried it on an ASA, but do you think it will work theoretically?
Above is based on allowing Local LAN Access for VPN clients:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml
In the config example, I'm not sure why the ACL is permitting 0.0.0.0/32.
Thank you.
B.Rgds,
Lim TS
04-16-2008 10:46 AM
Raj - I am trying to accomplish the same setup. Did you ever get this to work?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide