Solved: Remote VPN: split tunnel filtering

Jaaazman777 · ‎03-14-2013

Hello!

The question is about split-tunnel filtering capabilities without using the vpn-filter.

Let us assume, that we have ASA configured for remote VPN with split tunneling without VPN filter.

10.0.0.0/8 is the private netwrok.
10.1.0.0/24 is the private network, defined in the split tunnel
172.16.1.0/24 is the remotre VPN network

When remote client connects, it receives the routes to private network (10.1.0.0/24).

What happens if the remote client adds the route to private network (which is not defined by split tunnel) by himself (ex. 10.2.0.0/24)?

From our test LAB we can see, that client doesn't get acces to 10.2.0.0/24.

Where does the filtering take place in this case?

By default, all traffic, coming from the VPN, bypasses all the ACLs configured on ASA interfaces.
VPN filter is not configured.
Nat0 doesn't NAT traffic from 10.0.0.0/8 to 172.16.1.0/24
from the sh cry ip sa on VPN server we can see, that local ident is 0.0.0.0/0
- local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
- remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0)

Is the split-tunnel ACL capable for filtering remote client traffic?

Jennifer Halim · ‎03-15-2013

I understand that your question is in regards to the IPSec VPN Client, not AnyConnect VPN Client, however, I believe the behaviour of split tunnel is the same.

Here is the answer to your question:

https://supportforums.cisco.com/docs/DOC-1361#Q_How_does_the_AnyConnect_client_enforcemonitor_the_tunnelsplittunnel_policy

A. AnyConnect enforces the tunnel policy in 2 ways:

1)Route monitoring and repair (e.g. if you change the route table), AnyConnect will restore it to what was provisioned.

2)Filtering (on platforms that support filter engines). Filtering ensures that even if you could perform some sort of route injection, the filters would block the packets.

View solution in original post

Jennifer Halim · ‎03-15-2013