cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1054
Views
10
Helpful
5
Replies

ISE - DACL and ASA VPN Split tunnel

munaf shaikh
Level 1
Level 1

Hi Folks,

We have DACL applied to an Authorization profile which enables Cisco remote VPN users to login. 

Please help with below queries :

  1. Is DACL pushed to the end user machine or to the ASA itself?
  2. If its pushed to ASA, then will how can we see that in running config.
  3. In tunnel group, we have split tunnel which allows users to connect to on prem resources, Will DACL replace it ?  

 

1 Accepted Solution

Accepted Solutions

@munaf shaikh use "show vpn-sessiondb detail anyconnect filter name <username>" to filter on the username, this will show which DACL is applied to the users session.

The split-tunnel defines the routes to be routed over the tunnel (if using split include). By default on the ASA, VPN traffic bypasses the interface ACL (with the command "sysopt connection permit-vpn" configured, which it is as default) - so traffic is permitted as default (assuming it is included in the split-tunnel ACL).

View solution in original post

5 Replies 5

@munaf shaikh

The DACL is sent to the ASA.

Use the command "show access-list" this will display all the access-lists and DACLs. Bear in mind the DACL will only appear if dynamically applied to a session, so if the user logs off the DACL is removed.

The split-tunnel ACL defines which networks are routable over the VPN, the DACL is used to further restrict which ports/protocols the user can access over the VPN. The DACL does not replace the split-tunnel ACL.

Thank you @Rob Ingram for the clarification.

I was able to view the DACL using "show access-lists' command, however it raises few more questions.

  1. DACL output in ASA shows - access-list #ACSACL#-IP-ACL_Home_Users-61560aa1............................... , so i am confuse, how ASA knows to which group of users this ACL needs to be applied. Rule does not mentions any group of users. 
  2. If split-tunnel ACL only defines which networks are routable over VPN, then why split tunnel ACL has action - Permit. We do not have any explicit ACL rules defined in ASA which allows communication from VPN users towards LAN resources, but still users are able to access LAN resources. I guess because we have added LAN subnets in Split tunnel, with Action Permit?

@munaf shaikh use "show vpn-sessiondb detail anyconnect filter name <username>" to filter on the username, this will show which DACL is applied to the users session.

The split-tunnel defines the routes to be routed over the tunnel (if using split include). By default on the ASA, VPN traffic bypasses the interface ACL (with the command "sysopt connection permit-vpn" configured, which it is as default) - so traffic is permitted as default (assuming it is included in the split-tunnel ACL).

Thank you again buddy for the detailed explanation @Rob Ingram 

I have got my answer  

depend on direction of DACL. 
good luck