Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
1
Replies

Internet on a stick (no split-tunnel) with limited internal access?

tom.brockman
Level 1
Level 1

‎05-10-2012 04:38 PM

Is it possible to configure remote access (IPSEC client) to force all traffic through the tunnel (no split tunnel) yet still limit the internal hosts that can be accessed?

I have been asked to provide remote access (via ASA5510) with the following requirements:

    - the client should have unrestricted internet access via the ASA (the source address will appear to be the outside interface of the ASA)

    - the client should have access to only two internal hosts (192.168.10.10 and 192.168.44.10)

Configuring no split-tunnel using the ASDM wizard or using the example provided by Cisco (

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml) results in remote access to all interior networks (0.0.0.0).

Is there a way to limit access to those two internal hosts, while still providing secured internet access? The only way I can see is to use an access list on another device (for example our core switch).

Any suggestions? Thanks in advance for any help.

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎05-11-2012 05:17 AM

Hi Tom,

Yes you can apply an access-list to the tunnel, with the "VPN-filter" command in the group-policy.

E.g.

access-list foo permit any host 192.168.10.10

access-list foo permit any host 192.168.44.10

access-list foo deny any 192.168.0.0 255.255.0.0

access-list foo permit any any

group-policy mygp attributes

vpn-filter foo

Hth

Herbert

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents