Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
0
Helpful
1
Replies

Replacing Split-Tunneling

ROBERT CROOKS
Level 1
Level 1

‎04-16-2015 05:09 AM

My envrionment consists of two ASA 5510 devices in active/passive failover, both v8.2(5).

For years I have taken the easy way out to configure VPN access by using split-tunnel to give access to internal resources. Prior to the ASA I confugured my PIX's and entirely different way and could limit individual users to specific VLANs, but it's been so long I have forgotten how I did it. To make it worse, it's been awhile since I attended an ASA course so i'm very rusty. All authentication is done through Cisco ACS (windows) and all my users are using AnyConnect.

I would appreciate if anyone would have any links or resources that I could follow to convert my split-tunnel configuration to a more user-centric model where I can limit radius usernames to specific internal resources. Right now all VPN users are able to access the same VLANs, and even though some of these networks have ACL's on the OS side for access to resources, it still makes me uncomfortable to give a consultant access to some of our networks even though they lack the OS authentication.

I hope I am explaining myself sufficiently.

 

Thanks

Robert

 

Labels:
0 Helpful
1 Reply 1

Andres Villarroel
Level 1
Level 1

‎05-25-2015 11:42 AM

Hello

First, To move from split tunnel to the default tunnel all, you will need to change the settings in the group-policy for the AnyConnect tunnel group.

 

hostname(config-group-policy)# split-tunnel-policy {tunnelall | tunnelspecified | excludespecified}
hostname(config-group-policy)# no split-tunnel-policy
 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpngrp.html#wp1093578

 

After doing this, you will need to allow internet access to you clients configuring the necessary dynamic PAT statements.

 

For versions 8.2 and before

ciscoasa(config)# same-security-traffic permit intra-interface
ciscoasa(config)# nat (outside) 1 192.168.50.0 255.255.255.0 (VPN pool/DHCP IP address)
ciscoasa(config)# global (outside) 1 interface

For versions after 8.3

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

 

Make sure that internet access is working properly with AnyConnect configured as tunnel-all and finally you can start playing with the dynamic-access-policies (DAP). Basically, with this feature you can push to individual users or group of users (based on their RADIUS or LDAP attributes) customized ACLs and allow/permit access depending of the configured policies.

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html#t4

 

http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/ravpnpag.html

 

I hope this helps. 

0 Helpful
Customers Also Viewed These Support Documents