Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
993
Views
5
Helpful
5
Replies

IOS Split Tunnel (only "permit ip ...")?

mauricioharley
Level 1
Level 1

‎01-24-2011 07:23 PM

Hi, friends,

     I'm implementing IOS VPN Split tunnel resource and I'm stuck in a question:  can I only use "permit ip x y" on the split tunnel ACL?  What if I'd like to restrict client's access to, let's say, a single application and server on my network?  Isn't possible?  I mean, can't I use some ACL like "permit tcp host x.y.z.k eq 99 a.b.c.d 0.0.0.255"?

Best regards,

Maurício Harley

Labels:
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-24-2011 07:42 PM

Hi Mauricio,

Normally the split-tunneling ACL makes reference to the IP protocol since bu definition you defined the interesting traffic using IP for IPsec.

If you want to restrict to certain applications, you can create those restrictions on the ACL that is applied inbound to the outside interface of the IOS router.

However, I don't remember if you actually set the split-tunneling ACL to permit TCP/UDP if it's going to take it as well.

Federico.

0 Helpful

mauricioharley
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-25-2011 02:52 AM

Federico,

     Thank you for you reply.  Actually, as I know, common ACLs applied to the outside interface don't interfere on the IPSec tunnel traffic (except the ACE to permit ISAKMP and ESP protocol).  Since I'm talking about remote access VPN type, I don't have to specify "interesting traffic".  My duty is to avoid IPSec traffic got NATed when it comes back from the local network to the client.  And I'm already doing it.

     So, the closest achievement I could get was to restrict split tunnel to a single host.  But, even that, it only works with ALL IP traffic and this is not good to me.  I gotta restrict to a range of ports, but ACL simply doesn't work when I change "permit ip ..." to "permit udp ..." or "permit tcp ...".

     Any suggestion?

Kind Regards,

Maurício Harley

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to mauricioharley

‎01-25-2011 06:22 PM

Mauricio,

I haven't tested yet but I'm pretty sure you can only set ''IP'' in the split-tunneling ACL.

However the feature you're looking for is called :

Crypto Access Check on Clear-Text Packets

Check it out in the Cisco IOS Security Configuration Guide, Release 12.4

In sort, define your post encryption ACL, go into your crypto-map and apply it with :

set ip access-group {access-list-number |access-list-name}{in | out}

Hope it helps.

Federico.

mauricioharley
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-07-2011 10:46 AM

Hi, Federico,

     I appreciate pretty much your answer.  I didn't have to implement this feature.  I solved it with a simple outbound ACL.  Anyway, thank's for your attention!

Mauricio Harley

0 Helpful

Praveena Shanubhogue
Level 1
Level 1
In response to mauricioharley

‎02-08-2011 01:23 AM

Hi Mauricio,

Split-tunnel ACL define what routes need to be pushed to the clients connecting to the router via Remote access VPN or EzVPN. So, only IP is allowed in split tunnel ACL ( i think even if you mention tcp in there, it is considered as IP).

HTH

Reagrds,

Praveen

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents