cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
894
Views
4
Helpful
4
Replies

Split tunneling ACL in Easy VPN

dawsonpa
Level 1
Level 1

Hello,

When looking at the following example:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087d1e.html#1015440

I noticed that the split tunneling ACLs defined under the "crypto isakmp client configuration group cisco" are:

access-list 199 permit ip 192.168.1.0 0.0.0.255 any

access-list 199 permit ip 192.168.3.0 0.0.0.255 any

And the local pool assigned to the client dialing in is fred:

192.168.2.1 192.168.2.10

Is the access-list mentioned above not the incorrect access-list as there is no mention of 192.168.2.1 to 192.168.2.10?

The permit statement should tell the VPNclient that only traffic TO 192.168.1.0 and 192.168.3.0 *should* be encrypted and popped into the tunnel. Not all traffic from????

So the correct access list would read:

access-list 199 permit ip any 192.168.1.0 0.0.0.255

access-list 199 permit ip any 192.168.3.0 0.0.0.255

Or am I wrong?

1 Accepted Solution

Accepted Solutions

afakhan
Level 4
Level 4

Hi,

This list(mentioned in doc) would work just fine, though its better if you use 192.168.2.0 /24 in the destination network to be specific, or specific entries for all those 10 IPs (.1 --> .10).

Thanks,

Afaq

View solution in original post

4 Replies 4

afakhan
Level 4
Level 4

Hi,

This list(mentioned in doc) would work just fine, though its better if you use 192.168.2.0 /24 in the destination network to be specific, or specific entries for all those 10 IPs (.1 --> .10).

Thanks,

Afaq

Hi Afaq,

Why would you use 192.168.2.0 /24 in the destination?

My understanding of split tunneling is that the access-list specifies which traffic at the VPN Client should be popped into the tunnel and which access-list should be directed to the intranet gateway (non-vpn)?

So shouldn't 192.168.2.0 /24 be the source as this is the range of addresses specified in the pool which the client will be assigned?

Or does it work like a reverse ACL.

Hi,

Split tunnel list is structured like this:

access-list permit ip

clinet install the source-net of the above access-list as the secure networks, ie Split tunnel lists, so yes its kinda reverse acl, remember your crypto ACL is also reversed when its checked for traffic coming into your ipsec end-point, ie same access-list is used to decrypt traffic as well.

Thanks,

Afaq

Thank you for the confirmation.