you can use vpn-filter along

williamehmke1 · ‎10-06-2015

Can you run an extended ACL with a Split Tunnel?

pjain2 · ‎10-06-2015

yes you can

access-list split permit ip <pool subnet> <mask> <local subnet> <mask>

williamehmke1 · ‎10-06-2015

thanks PJain. Also can you define access through the extended ACL by explicit system IP and port or can you only define access by IP subnet?

pjain2 · ‎10-06-2015

you can use vpn-filter along with split-tunnel if in case you want to allow only certain port based traffic.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

williamehmke1 · ‎10-06-2015

thanks i have the filter set yet i still can't route to the system i have defined in the filter and the ACL

pjain2 · ‎10-06-2015

please put in the config for the filter and the ip address you are trying to access and the pool subnet.

also share the split tunneling acl

williamehmke1 · ‎10-06-2015

this is the ACL I have defined. I am also using this as my filter. I am trying to access the 10.59.x.x network and all the others listed in the acl. MY VPN pool is 10.112.xxx.xxx but I defined the ACL with any for testing purposes

access-list XX_SPLIT_TUNNEL remark Connection to system
access-list XX_SPLIT_TUNNEL extended permit tcp any host 10.1xx.x.x eq 20105
access-list XX_SPLIT_TUNNEL remark Connection to system
access-list XX_SPLIT_TUNNEL extended permit tcp any host 10.1xx.x.x eq 20106
access-list XX_SPLIT_TUNNEL remark Connection to server
access-list XX_SPLIT_TUNNEL extended permit object-group Windows_File_Shares any host 10.5x.x.x
access-list XX_SPLIT_TUNNEL remark Connection to server
access-list XX_SPLIT_TUNNEL extended permit ip any host 10.5x.x.x
access-list XX_SPLIT_TUNNEL remark Connection to system
access-list XX_SPLIT_TUNNEL extended permit udp any host 10.12.x.x range 135 139
access-list XX_SPLIT_TUNNEL remark Connection to system
access-list XX_SPLIT_TUNNEL extended permit tcp any host 10.12.x.x range 135 netbios-ssn
access-list XX_SPLIT_TUNNEL remark Connection to system
access-list XX_SPLIT_TUNNEL extended permit tcp any host 10.12.x.x eq 445
access-list XX_SPLIT_TUNNEL remark Connection to system
access-list XX_SPLIT_TUNNEL extended permit tcp any host 10.1xx.x.x eq 20105
access-list XX_SPLIT_TUNNEL remark Connection to system
access-list XX_SPLIT_TUNNEL extended permit tcp any host 10.1xx.x.x eq 20106
access-list XX_SPLIT_TUNNEL remark Connection to system
access-list XX_SPLIT_TUNNEL extended permit tcp any host 10.1xx.x.x eq www
access-list XX_SPLIT_TUNNEL remark Connection to system
access-list XX_SPLIT_TUNNEL extended permit tcp any host 10.1xx.x.x eq 9080
access-list XX_SPLIT_TUNNEL remark Connection to system
access-list XX_SPLIT_TUNNEL extended permit tcp any host 10.1xx.x.x eq www
access-list XX_SPLIT_TUNNEL remark Connection to system
access-list XX_SPLIT_TUNNEL extended permit tcp any host 10.1xx.x.x eq 9080
access-list XX_SPLIT_TUNNEL remark Connection to system
access-list XX_SPLIT_TUNNEL extended permit tcp any host 10.12.x,x
access-list XX_SPLIT_TUNNEL remark ping to servername
access-list XX_SPLIT_TUNNEL extended permit icmp any host 10.5x.x.x

pjain2 · ‎10-06-2015

do not use same acl for both vpn-filter and split-tunneling acl.

define an extended acl for vpn-filter

williamehmke1 · ‎10-07-2015

Thank you for your help. Creating separate ACL's for split-tunneling and vpn-filter worked

Extended ACl with Split Tunnel