01-24-2011 07:23 PM
Hi, friends,
I'm implementing IOS VPN Split tunnel resource and I'm stuck in a question: can I only use "permit ip x y" on the split tunnel ACL? What if I'd like to restrict client's access to, let's say, a single application and server on my network? Isn't possible? I mean, can't I use some ACL like "permit tcp host x.y.z.k eq 99 a.b.c.d 0.0.0.255"?
Best regards,
Maurício Harley
01-24-2011 07:42 PM
Hi Mauricio,
Normally the split-tunneling ACL makes reference to the IP protocol since bu definition you defined the interesting traffic using IP for IPsec.
If you want to restrict to certain applications, you can create those restrictions on the ACL that is applied inbound to the outside interface of the IOS router.
However, I don't remember if you actually set the split-tunneling ACL to permit TCP/UDP if it's going to take it as well.
Federico.
01-25-2011 02:52 AM
Federico,
Thank you for you reply. Actually, as I know, common ACLs applied to the outside interface don't interfere on the IPSec tunnel traffic (except the ACE to permit ISAKMP and ESP protocol). Since I'm talking about remote access VPN type, I don't have to specify "interesting traffic". My duty is to avoid IPSec traffic got NATed when it comes back from the local network to the client. And I'm already doing it.
So, the closest achievement I could get was to restrict split tunnel to a single host. But, even that, it only works with ALL IP traffic and this is not good to me. I gotta restrict to a range of ports, but ACL simply doesn't work when I change "permit ip ..." to "permit udp ..." or "permit tcp ...".
Any suggestion?
Kind Regards,
Maurício Harley
01-25-2011 06:22 PM
Mauricio,
I haven't tested yet but I'm pretty sure you can only set ''IP'' in the split-tunneling ACL.
However the feature you're looking for is called :
Crypto Access Check on Clear-Text Packets
Check it out in the Cisco IOS Security Configuration Guide, Release 12.4
In sort, define your post encryption ACL, go into your crypto-map and apply it with :
set ip access-group {access-list-number |access-list-name}{in | out}
Hope it helps.
Federico.
02-07-2011 10:46 AM
Hi, Federico,
I appreciate pretty much your answer. I didn't have to implement this feature. I solved it with a simple outbound ACL. Anyway, thank's for your attention!
Mauricio Harley
02-08-2011 01:23 AM
Hi Mauricio,
Split-tunnel ACL define what routes need to be pushed to the clients connecting to the router via Remote access VPN or EzVPN. So, only IP is allowed in split tunnel ACL ( i think even if you mention tcp in there, it is considered as IP).
HTH
Reagrds,
Praveen
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: