07-30-2007 08:14 AM
Hi everyone, I'm in need of some clarification regarding a split-tunnel/acl situation that has arisen.
I want to give the user the secured route of 192.168.0.0/16 when he VPN's to the ASA5510
The user on the other hand has 192.168.1.0/24 as his home network and will get his local lan access lost when VPN'ing?
I cant exclude the 192.168.1.0/24 range in my ASA5510 ACL just for this user.
What do I do? (The user cant change his internal network) Do I tell him 'tough luck' or what? :)
Thanks
07-30-2007 09:45 AM
You could allow local lan access.
access-list Local_LAN_Access standard permit host 0.0.0.0
group-policy vpn attributes
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
Also check, "Allow local lan" on the client config. Using the host 0.0.0.0 in the acl will exclude whichever local subnet the vpn user is on. The user would of course lose any access to 192.168.1.x on the remote lan.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml
Please rate helpful posts.
07-31-2007 03:26 AM
Hi and thanks for the answer
a small follow up question:
Can you exclude the users internet also with a smiliar command?
And "Also check, "Allow local lan" on the client config" - Does this really affect anything? I have been trying around with it but dont notice any changes?
Thanks alot
07-31-2007 04:39 AM
"Can you exclude the users internet also with a smiliar command?"
-By this do you mean you want them to have internet access locally? If so, yes you can create the following, if you only want to tunnel to 10.0.1.0...
access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0
group-policy vpn attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
"And "Also check, "Allow local lan" on the client config" - Does this really affect anything? I have been trying around with it but dont notice any changes?"
-If you have created the "excludespecified" split-tunnel-policy to have local lan access you need to also check the box on the vpn client for it to work.
07-31-2007 07:08 AM
Hi, I think I mislead you with my former question.
What I meant was. Can I exclude the users home network + internet at the same time?
As in 192.168.1.0/24 + his own internet? and still give him the secure routes of 192.168.0.0/16 at the same time?
I understand the difference between exclude and tunnelspecified, but you cant combine them at the same time? a bit confusing :)
thanks for the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide