cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5809
Views
15
Helpful
7
Replies

Split tunnel and extended ACL query

DarylBrooks
Level 1
Level 1

Hello,

 

I am encountering an issue where when using an extended ACL as the network list for a VPN policy, the destinations are not appearing in the 'Secured Routes (IPV4)' within the AnyConnect client. And therefore they are being routed outside of the VPN, which does not work as they're internal routes.

 

The reason I need to use an extended ACL is because I would like to restrict connected clients to particular ports for networks local to the ASA hosting the VPN.

 

I do have this working for another VPN profile, however the difference is that in the working profile, I am tunneling all networks. In the non-working profile, I need to tunnel only the networks in the ACL, as we need standard external traffic to be excluded from the VPN to prevent wasted bandwidth on our external interfaces.

 

So my question is, is it possible to use split-tunneling with extended ACL, or is this a limitation on the ASA?

 

Thanks,
Daryl

1 Accepted Solution

Accepted Solutions

Ajay Saini
Level 7
Level 7

Hello,

 

split tunnel purpose is to push a reverse route to the client, this wont work with a extended acl and actually, even if you define it, it wont solve the purpose. If you wish to define the port restriction, you can use vpn filter:

 

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

 

HTH

AJ

View solution in original post

7 Replies 7

Ajay Saini
Level 7
Level 7

Hello,

 

split tunnel purpose is to push a reverse route to the client, this wont work with a extended acl and actually, even if you define it, it wont solve the purpose. If you wish to define the port restriction, you can use vpn filter:

 

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

 

HTH

AJ

Hi Ajay,

Excellent, VPN-Filter combined with a standard ACL for the split tunnel resolved this.

Many thanks,
Daryl

No. for VPN-Filter you must have to define extended ACL. as standart ACL does not support port.

please do not forget to rate.

Hi,
I had the same issue. I used the procedure mentioned here. Used both a VPN-filter and split-tunnel. Now all the IPs mentioned in split tunnel are accessible from VPN. Even if I block some IP in VPN-filter, it's still accessible while connected to VPN.
Any idea on that?

I tested this on version 9.9(2)47. And they worked for me. you dont have to define the standard access-list. it must be extended acl with condition vpn-filter value

 

below is the working configuration of my ASA which i tested and it worked fine. adjust them according to your needs. I tried to provided you as much as information for your reference.

group-policy GroupPolicy_Preston_Profile internal
group-policy GroupPolicy_Preston_Profile attributes
 wins-server value 208.67.220.220
 dns-server value 208.67.220.220
 vpn-idle-timeout 1
 vpn-filter value INTERNAL2
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value INTERNAL2
 default-domain value king.kong.alive
 anyconnect-custom DeferredUpdateAllowed value def-allowed
 anyconnect-custom DeferredUpdateDismissTimeout value def-timeout
 webvpn
  anyconnect profiles value Preston_Profile_client_profile type user
!
access-list INTERNAL2 extended permit tcp 192.168.101.0 255.255.255.0 host 192.168.185.253 eq ssh
access-list INTERNAL2 extended permit tcp host 192.168.185.253 192.168.101.0 255.255.255.0 eq ssh
!
ip local pool Anyconnect 192.168.101.1-192.168.101.10 mask 255.255.255.0
!
nat (any,outside) source static any any destination static ANYCONNECT-POOL ANYCONNECT-POOL no-proxy-arp route-lookup
!
show run all sysopt
sysopt connection permit-vpn

 

please do not forget to rate.

Hi,

Thanks for your detailed reply. Actually VPN filter with split tunnel worked.

I tried just after changing the config. Previous session was there. So VPN-filter ACL was being bypassed. 

 

But extended ACL as split tunnel does not seem to work. My version is 9.8(4).

 

Regards,

Zobaarul

I tested with 9.9(2)47 and shared my configuration. I have tested them too and it was a success. I shall test them with version 9.8(4) and will get back to you.

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: