10-30-2009 02:14 PM - edited 02-21-2020 04:22 PM
Hi,
I'm creating a remote access vpn with split tunnel, but I'm using an extended acl to match a host and port http of destination, but is not working.
Scenario
Remote access(10.0.0.122/24) -- internet --- Cisco ASA(inside:192.168.10.1/24) --- ip=192.168.10.6 - C6509 - 10.0.0.254/24 --- host = 10.0.0.31/24
The intriguing is when I enable the service IP connection or ICMP flows worked. Does anyone have any idea what the problem? Thanks
Regards
Solved! Go to Solution.
11-02-2009 01:56 PM
Split tunneling doesn't take into account port information you specify in the ACL, it only cares about the ip address/networks you defined.
If you are trying to restrict access to IP and ports you should define your split tunneling with ip addresses only and use a vpn-filter acl in the group-policy to restrict it further to the specific ports you want:
access-list split_acl permit ip
access-list filter_acl permit ip
group-pol
split-tunnel-pol tunnelspecified
split-tunnel-net value split_acl
vpn-filter value filter_acl
-heather
11-02-2009 01:56 PM
Split tunneling doesn't take into account port information you specify in the ACL, it only cares about the ip address/networks you defined.
If you are trying to restrict access to IP and ports you should define your split tunneling with ip addresses only and use a vpn-filter acl in the group-policy to restrict it further to the specific ports you want:
access-list split_acl permit ip
access-list filter_acl permit ip
group-pol
split-tunnel-pol tunnelspecified
split-tunnel-net value split_acl
vpn-filter value filter_acl
-heather
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide