09-26-2018 03:07 AM
Hello,
I am encountering an issue where when using an extended ACL as the network list for a VPN policy, the destinations are not appearing in the 'Secured Routes (IPV4)' within the AnyConnect client. And therefore they are being routed outside of the VPN, which does not work as they're internal routes.
The reason I need to use an extended ACL is because I would like to restrict connected clients to particular ports for networks local to the ASA hosting the VPN.
I do have this working for another VPN profile, however the difference is that in the working profile, I am tunneling all networks. In the non-working profile, I need to tunnel only the networks in the ACL, as we need standard external traffic to be excluded from the VPN to prevent wasted bandwidth on our external interfaces.
So my question is, is it possible to use split-tunneling with extended ACL, or is this a limitation on the ASA?
Thanks,
Daryl
Solved! Go to Solution.
09-26-2018 05:54 AM
Hello,
split tunnel purpose is to push a reverse route to the client, this wont work with a extended acl and actually, even if you define it, it wont solve the purpose. If you wish to define the port restriction, you can use vpn filter:
HTH
AJ
09-26-2018 05:54 AM
Hello,
split tunnel purpose is to push a reverse route to the client, this wont work with a extended acl and actually, even if you define it, it wont solve the purpose. If you wish to define the port restriction, you can use vpn filter:
HTH
AJ
09-26-2018 06:16 AM
03-15-2020 02:02 PM
No. for VPN-Filter you must have to define extended ACL. as standart ACL does not support port.
03-15-2020 11:51 AM
03-15-2020 03:23 PM - edited 03-15-2020 03:27 PM
I tested this on version 9.9(2)47. And they worked for me. you dont have to define the standard access-list. it must be extended acl with condition vpn-filter value
below is the working configuration of my ASA which i tested and it worked fine. adjust them according to your needs. I tried to provided you as much as information for your reference.
group-policy GroupPolicy_Preston_Profile internal group-policy GroupPolicy_Preston_Profile attributes wins-server value 208.67.220.220 dns-server value 208.67.220.220 vpn-idle-timeout 1 vpn-filter value INTERNAL2 vpn-tunnel-protocol ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value INTERNAL2 default-domain value king.kong.alive anyconnect-custom DeferredUpdateAllowed value def-allowed anyconnect-custom DeferredUpdateDismissTimeout value def-timeout webvpn anyconnect profiles value Preston_Profile_client_profile type user ! access-list INTERNAL2 extended permit tcp 192.168.101.0 255.255.255.0 host 192.168.185.253 eq ssh access-list INTERNAL2 extended permit tcp host 192.168.185.253 192.168.101.0 255.255.255.0 eq ssh ! ip local pool Anyconnect 192.168.101.1-192.168.101.10 mask 255.255.255.0 ! nat (any,outside) source static any any destination static ANYCONNECT-POOL ANYCONNECT-POOL no-proxy-arp route-lookup ! show run all sysopt sysopt connection permit-vpn
03-15-2020 10:11 PM
Hi,
Thanks for your detailed reply. Actually VPN filter with split tunnel worked.
I tried just after changing the config. Previous session was there. So VPN-filter ACL was being bypassed.
But extended ACL as split tunnel does not seem to work. My version is 9.8(4).
Regards,
Zobaarul
03-17-2020 10:51 AM
I tested with 9.9(2)47 and shared my configuration. I have tested them too and it was a success. I shall test them with version 9.8(4) and will get back to you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide