Hi,

I have some troubles configuring split-tunneling on ASA 5520.

Here is the scenario:

Number of remote users establish ipsec connection with ASA 5520 (in central office) using ubuntu vpnc-client.

Split-tunneling is in use, to allow remote users to surf Internet using their ISP.

The goal is to remove the possibility to ssh/telnet servers inside corporate LAN for remote users.

Here is a part of config:

group-policy REMOTE_gp internal
group-policy REMOTE_gp attributes
  vpn-idle-timeout none
  vpn-tunnel-protocol IPSec
  group-lock none
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value REMOTE_split

tunnel-group REMOTE type remote-access

tunnel-group REMOTE general-attributes

  authentication-server-group RADIUSGR

  default-group-policy REMOTE_gp

tunnel-group REMOTE ipsec-attributes

  pre-shared-key *

  isakmp keepalive threshold 15 retry 10

aaa-server RADIUSGR protocol radius

aaa-server RADIUSGR (INSIDE_LAN) host 192.168.0.244

access-list REMOTE_split extended deny tcp 192.168.0.0 255.255.255.0 range ssh telnet any

access-list REMOTE_split extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

##192.168.100.0/24 - ip subnetwork where from Radius server allocate ip addresses to remote users##

access-list INSIDE_LAN_in extended deny tcp 192.168.0.0 255.255.255.0 eq ssh 192.168.100.0 255.255.255.0

access-list INSIDE_LAN_in extended deny tcp 192.168.0.0 255.255.255.0 eq telnet 192.168.100.0 255.255.255.0

access-list INSIDE_LAN_in extended permit ip 192.168.0.0 255.255.255.0 any

There is nat enabled on interface, but there is special statement in nat0 ACL for 192.168.100.0 subnetwork

access-list INSIDE_LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

The problem is that remote users can easely ssh and telnet servers in INSIDE_LAN network. Whatever i put in INSIDE_LAN_in ACL, remote users still have full access to this network. Restrictions in REMOTE_split ACL don't work either.