Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1333
Views
10
Helpful
5
Replies

ISE - DACL and ASA VPN Split tunnel

Go to solution
munaf shaikh
Level 1
Level 1

‎12-27-2022 04:34 AM

Hi Folks,

We have DACL applied to an Authorization profile which enables Cisco remote VPN users to login. 

Please help with below queries :

  1. Is DACL pushed to the end user machine or to the ASA itself?
  2. If its pushed to ASA, then will how can we see that in running config.
  3. In tunnel group, we have split tunnel which allows users to connect to on prem resources, Will DACL replace it ?  

 

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to munaf shaikh

‎12-27-2022 06:17 AM - edited ‎12-27-2022 06:21 AM

@munaf shaikh use "show vpn-sessiondb detail anyconnect filter name <username>" to filter on the username, this will show which DACL is applied to the users session.

The split-tunnel defines the routes to be routed over the tunnel (if using split include). By default on the ASA, VPN traffic bypasses the interface ACL (with the command "sysopt connection permit-vpn" configured, which it is as default) - so traffic is permitted as default (assuming it is included in the split-tunnel ACL).

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎12-27-2022 04:58 AM

@munaf shaikh

The DACL is sent to the ASA.

Use the command "show access-list" this will display all the access-lists and DACLs. Bear in mind the DACL will only appear if dynamically applied to a session, so if the user logs off the DACL is removed.

The split-tunnel ACL defines which networks are routable over the VPN, the DACL is used to further restrict which ports/protocols the user can access over the VPN. The DACL does not replace the split-tunnel ACL.

0 Helpful

Go to solution
munaf shaikh
Level 1
Level 1
In response to Rob Ingram

‎12-27-2022 06:13 AM

Thank you @Rob Ingram for the clarification.

I was able to view the DACL using "show access-lists' command, however it raises few more questions.

  1. DACL output in ASA shows - access-list #ACSACL#-IP-ACL_Home_Users-61560aa1............................... , so i am confuse, how ASA knows to which group of users this ACL needs to be applied. Rule does not mentions any group of users. 
  2. If split-tunnel ACL only defines which networks are routable over VPN, then why split tunnel ACL has action - Permit. We do not have any explicit ACL rules defined in ASA which allows communication from VPN users towards LAN resources, but still users are able to access LAN resources. I guess because we have added LAN subnets in Split tunnel, with Action Permit?
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to munaf shaikh

‎12-27-2022 06:17 AM - edited ‎12-27-2022 06:21 AM

@munaf shaikh use "show vpn-sessiondb detail anyconnect filter name <username>" to filter on the username, this will show which DACL is applied to the users session.

The split-tunnel defines the routes to be routed over the tunnel (if using split include). By default on the ASA, VPN traffic bypasses the interface ACL (with the command "sysopt connection permit-vpn" configured, which it is as default) - so traffic is permitted as default (assuming it is included in the split-tunnel ACL).

Go to solution
munaf shaikh
Level 1
Level 1
In response to Rob Ingram

‎12-27-2022 06:27 AM

Thank you again buddy for the detailed explanation @Rob Ingram 

I have got my answer  

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-27-2022 05:46 AM - edited ‎12-27-2022 06:30 AM

depend on direction of DACL. 
good luck 

0 Helpful
Customers Also Viewed These Support Documents