Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1689
Views
0
Helpful
3
Replies

How do I allow & deny subnets into Split-Tunneled sites?

Go to solution
lchance
Level 1
Level 1

‎07-11-2011 11:59 AM

I need to configure the ASA by GROUP-POLICY to deny certain subnets into our Split-Tunnel sites. I’ve tried unsuccessfully using an IPv4 FILTER.

How do I only allow traffic into 10.100.0.0 sites from only two subnets 10.50.0.0 and 10.150.0.0 but yet deny traffic from all other 10 dot networks?

And yet, still allow 10.100.0.0 access to anything on our networks ( 10.0.0.0/8)…

Split Tunnel example.jpg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to lchance

‎07-14-2011 12:30 AM

Yup, correct... you can just change the Standard ACL PROTECTED_VPN from 10.0.0.0/8 to just 10.50.0.0 and 10.150.0.0.

Need to know whether the Easy VPN has been configured in Client mode or Network Extension mode (NEM).

With Client mode, the Easy VPN client will be PATed to 1 IP Address, hence connection can only go from client towards server subnet.

With NEM, both Easy VPN client and server can connect to each other as long as the VPN is initiated from the Easy VPN client side. Once the VPN is up, server can also access client's network.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-11-2011 10:08 PM

Not quite sure how each subnet is connected exactly. Can you please confirm if the following assumption is correct from the ASA point of view:

10.50.0.0/16 and 10.150.0.0/16: local subnet behind ASA firewall

10.200.0.0/16 and 10.250.0.0/16: remote subnet L2L VPN tunnel to ASA firewall

10.100.0.0/16: remote subnet via Easy VPN (NEM - Network Extension Mode) to ASA firewall

If the above is a correct assumption, I am not quite sure what has been configured to actually allow other remote LANs (10.250.0.0/16 and 10.200.0.0/16) to access 10.100.0.0/16. Because unless it is explicitly configured to start with, it will not have access.

Maybe a copy of the configuration might help.

0 Helpful

Go to solution
lchance
Level 1
Level 1
In response to Jennifer Halim

‎07-13-2011 05:50 AM

Thanks for your reply...

I inherited administration of this ASA so I'm trying to figure things out. And yes, all your assumptions are correct.

These locations using Split-Tunnels want to deny traffic from all other 10dot networks except for 10.50.0.0 & 10.150.0.0.

This particular GROUP POLICY uses the Standard ACL named 'PROTECTED_VPN' which covers (Network List) 10.0.0.0/8 and although this ASA does have other GROUP policies, I've since discovered only this Split-Tunnel group uses this ACL and no other group.

What I intend to do now is create a new Standard ACL (preserving the other named PROTECTED_VPN) but with a new name and then only apply those networks of 10.50.0.0 and 10.150.0.0 (aka Network List).

I'm also trying understand how reflexive works in this Group Policy enviornment. So, this may not be 'Reflexive' - do you know?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to lchance

‎07-14-2011 12:30 AM

Yup, correct... you can just change the Standard ACL PROTECTED_VPN from 10.0.0.0/8 to just 10.50.0.0 and 10.150.0.0.

Need to know whether the Easy VPN has been configured in Client mode or Network Extension mode (NEM).

With Client mode, the Easy VPN client will be PATed to 1 IP Address, hence connection can only go from client towards server subnet.

With NEM, both Easy VPN client and server can connect to each other as long as the VPN is initiated from the Easy VPN client side. Once the VPN is up, server can also access client's network.

0 Helpful
Customers Also Viewed These Support Documents