Solved: Configuring split tunnel on an ASA

limtohsoon · ‎12-12-2006

Hi Sir,

I'm configuring an ASA to terminate remote access VPNs. ASA version is 7.2(1)24. VPN Client version is 4.6.04.

I want to tunnel all user traffic to the ASA except for traffic to destination network 10.200.75.0/24.

My config as follows:

!

access-list ACL_SPLIT_TUN standard deny 10.200.75.0 255.255.255.0

access-list ACL_SPLIT_TUN standard permit any

!

group-policy GROUP1 attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ACL_SPLIT_TUN

!

The above config does not accomplish what I want when tested in production. Let me know if I have configured it incorrectly.

Please help.

Thank you.

B.Rgds,

Lim TS

sachinraja · ‎12-13-2006

Hi Lim,

it seems this is not a valid solution.. Your question was to deny the traffic onto the split tunnels... The answer

to this is no. None of the clients understand a deny, and therefore deny is not a valid syntax for the split tunnel list.

Hope this helps.. all the best .. rate replies if found useful..

Raj

View solution in original post

sachinraja · ‎12-12-2006

hello Lim,

your config seems OK and really logical. but this seems to be a strange scenario.. there are normally only "permit" statements on the split-tunnel lists and the rest are implicit deny's.. your case is exactly opposite.. just test one thing.. instead of the deny at the top, put permit to some networks (1 or 2 networks) and see if it comes on the split tunnel list on your client.. if it comes, i guess this is the only way of doing it.. not really sure if deny is possible there then.

what do you see on the statistics of your vpn client with ur present config? are u seeing any routes on the 'secured routes' section of your client? any log messages?

Raj

limtohsoon · ‎12-13-2006

Hi Raj,

Yeah, my scenario is a bit strange. It is what required by my customer in their unique environment.

With my config, under "Secured Routes", I saw only one entry: 0.0.0.0 (Network) 0.0.0.0 (Subnet Mask).

When I disable split tunneling (by tunneling all traffic to ASA) using the following config, I also see 0.0.0.0 (Network) 0.0.0.0 (Subnet Mask).

!

group-policy GROUP1 attributes

split-tunnel-policy tunnelall

!

My guess is, the VPN Client has no way to include the "deny 10.200.75.0 255.255.255.0" into its list of Secured Routes.

With regards to your suggestion, I already had a similar setup (only permit statements) in my customer's network. True, the network permitted by the ACL appears in the Secured Routes list.

Any thoughts?

Thank you.

B.Rgds,

Lim TS

sachinraja · ‎12-13-2006

Hi Lim,

it seems this is not a valid solution.. Your question was to deny the traffic onto the split tunnels... The answer

to this is no. None of the clients understand a deny, and therefore deny is not a valid syntax for the split tunnel list.

Hope this helps.. all the best .. rate replies if found useful..

Raj

limtohsoon · ‎01-04-2007

Hi Raj,

Back to my case, which is, I'm trying to tunnel all user traffic to the ASA except for traffic to destination network 10.200.75.0/24.

Instead of using "tunnelspecified", can using "excludespecified" accomplish my requirement, as follows:

!

access-list ACL_EXCLUDE standard permit 10.200.75.0 255.255.255.0

!

group-policy GROUP1 attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value ACL_EXCLUDE

!

I haven't tried it on an ASA, but do you think it will work theoretically?

Above is based on allowing Local LAN Access for VPN clients:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml

In the config example, I'm not sure why the ACL is permitting 0.0.0.0/32.

Thank you.

B.Rgds,

Lim TS

michaelbrunton · ‎04-16-2008

Raj - I am trying to accomplish the same setup. Did you ever get this to work?