10-11-2012 07:00 PM
guys we have an ASA and the follwoing config is done on it for remote access VPM (client support CCTV)
access-list split_abc extended permit ip object-group sitecamera any
network-object 192.20.98.0 255.255.255.0
network-object 192.70.41.0 255.255.255.0
ip local pool ippool-xyz 10.128.14.129-10.128.14.134
group-policy vpngroup-abc internal
group-policy vpngroup-abc attributes
split-tunnel-network-list value split_abc
username abc password encrypted
tunnel-group vpngroup-abc type ipsec-ra
tunnel-group vpngroup-abc general-attributes
address-pool ippool-xyz
default-group-policy vpngroup-abc
tunnel-group vpngroup-abc ipsec-attributes
There are other 20 clients which supports different thing but i cant get my head around the access-list with split-abc......why its their other remote access vpn doesnt have this.........can someone explain me what is the difference between split-tunnel-network
what will happen if i remove this acl and if this acl was not there
Thanks
10-11-2012 07:49 PM
To start with, the split tunnel ACL should be standard ACL instead of extended ACL. In your case, it should have been:
access-list split_abc standard permit object-group sitecamera
Plus within the group-policy, you should have the following configured as well:
split-tunnel-policy tunnelspecified
If you don't have split tunnel configured, then everything will be tunneled through the ASA, ie: all traffic whether it is destined towards the internet (internet browsing for example) will be routed/tunneled back towards the ASA (encrypted).
However if you have split tunnel configured, only the traffic destined towards the ACL will be routed towards the ASA (encrypted), from your example: only traffic destined towards 192.20.98.0/24 and 192.70.41.0/24 will be encrypted and routed towards the ASA. All other traffic will split and use the local ISP to access the internet.
Hope that answers your question.
10-12-2012 12:34 AM
Thanks for your reply you are always a great help.....but the thing i dont understand that the company ABC coming via remote access to our ASA and then access only 192....why we are having split-tunnel.........it means that on there side thyere will be only intersting tarffic which would be 192 ......i didnt get the point.....in above scenario company ABC is coming tunneling into our ASA to connect to 192 address which are security cameras
Thanks
10-12-2012 12:43 AM
Split tunnel means the traffic is being split, so only traffic defined in the ACL will be routed towards the ASA, all other traffic will split directly out to the local internet. By defining split tunnel policy and ACL, you restrict only the traffic in the ACL to get routed towards the ASA, as you don't want everything including the remote users browsing the internet while connected to VPN to get routed towards your ASA as that will use up a lot of your ASA bandwidth.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide