03-17-2003 12:02 AM - edited 02-21-2020 12:24 PM
Hello,
When looking at the following example:
I noticed that the split tunneling ACLs defined under the "crypto isakmp client configuration group cisco" are:
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip 192.168.3.0 0.0.0.255 any
And the local pool assigned to the client dialing in is fred:
192.168.2.1 192.168.2.10
Is the access-list mentioned above not the incorrect access-list as there is no mention of 192.168.2.1 to 192.168.2.10?
The permit statement should tell the VPNclient that only traffic TO 192.168.1.0 and 192.168.3.0 *should* be encrypted and popped into the tunnel. Not all traffic from????
So the correct access list would read:
access-list 199 permit ip any 192.168.1.0 0.0.0.255
access-list 199 permit ip any 192.168.3.0 0.0.0.255
Or am I wrong?
Solved! Go to Solution.
03-17-2003 12:05 PM
Hi,
This list(mentioned in doc) would work just fine, though its better if you use 192.168.2.0 /24 in the destination network to be specific, or specific entries for all those 10 IPs (.1 --> .10).
Thanks,
Afaq
03-17-2003 12:05 PM
Hi,
This list(mentioned in doc) would work just fine, though its better if you use 192.168.2.0 /24 in the destination network to be specific, or specific entries for all those 10 IPs (.1 --> .10).
Thanks,
Afaq
03-17-2003 09:43 PM
Hi Afaq,
Why would you use 192.168.2.0 /24 in the destination?
My understanding of split tunneling is that the access-list specifies which traffic at the VPN Client should be popped into the tunnel and which access-list should be directed to the intranet gateway (non-vpn)?
So shouldn't 192.168.2.0 /24 be the source as this is the range of addresses specified in the pool which the client will be assigned?
Or does it work like a reverse ACL.
03-17-2003 11:40 PM
Hi,
Split tunnel list is structured like this:
access-list permit ip
clinet install the source-net of the above access-list as the secure networks, ie Split tunnel lists, so yes its kinda reverse acl, remember your crypto ACL is also reversed when its checked for traffic coming into your ipsec end-point, ie same access-list is used to decrypt traffic as well.
Thanks,
Afaq
03-18-2003 03:15 AM
Thank you for the confirmation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide