03-14-2013 11:12 PM
Hello!
The question is about split-tunnel filtering capabilities without using the vpn-filter.
Let us assume, that we have ASA configured for remote VPN with split tunneling without VPN filter.
When remote client connects, it receives the routes to private network (10.1.0.0/24).
What happens if the remote client adds the route to private network (which is not defined by split tunnel) by himself (ex. 10.2.0.0/24)?
From our test LAB we can see, that client doesn't get acces to 10.2.0.0/24.
Where does the filtering take place in this case?
Is the split-tunnel ACL capable for filtering remote client traffic?
Solved! Go to Solution.
03-15-2013 12:00 PM
I understand that your question is in regards to the IPSec VPN Client, not AnyConnect VPN Client, however, I believe the behaviour of split tunnel is the same.
Here is the answer to your question:
A. AnyConnect enforces the tunnel policy in 2 ways:
1)Route monitoring and repair (e.g. if you change the route table), AnyConnect will restore it to what was provisioned.
2)Filtering (on platforms that support filter engines). Filtering ensures that even if you could perform some sort of route injection, the filters would block the packets.
03-15-2013 12:00 PM
I understand that your question is in regards to the IPSec VPN Client, not AnyConnect VPN Client, however, I believe the behaviour of split tunnel is the same.
Here is the answer to your question:
A. AnyConnect enforces the tunnel policy in 2 ways:
1)Route monitoring and repair (e.g. if you change the route table), AnyConnect will restore it to what was provisioned.
2)Filtering (on platforms that support filter engines). Filtering ensures that even if you could perform some sort of route injection, the filters would block the packets.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide