Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2007
Views
0
Helpful
3
Replies

Stop split tunnel for only one user

alkabeer80
Level 1
Level 1

‎04-19-2013 02:15 AM

                   hi, i have cisco asa 5540, users access vpn through anyconnect, i have applied split tunnel so that all users accessing internal network (10.0.0.0) grows through tunnel and other traffic through internet.. working fine.

i want to fully tunnel one user so that all his traffic goes through the tunnel, what is the best way to do it, "is there any guide (step by step)"

thanksss

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎04-19-2013 06:10 AM

Hi,

Well there is atleast one way but this would require that the VPN Client usernames are configured on the ASA and not a separate AAA server.

So basically at the moment you have a "tunnel-group" , "group-policy" and "username" configurations for all the users and those configurations are done so that all users are using Split Tunnel which is configured under the "group-policy" that all the users share.

So to change the settings for a single user you can do the following

  • Create and new "group-policy" on the ASA that is mostly identical to the one you already have for all of the users
  • In this new "group-policy" instead of configuring Split Tunnel, configure it as Full Tunnel
  • Lock the "group-policy" to the "tunnel-group" used
  • Configure a new "username" for that user (or use an existing one)
  • Under the configurations of that "username" attach the new "group-policy" under that username
  • Lock this "username" also to the "tunnel-group"

When you connect with the new "username" that is using the newly created "group-policy", he/she will use Full Tunnel and everyone else will still keep on using their original "group-policy" configurations

I only quickly tested this with the old IPsec VPN Client but it should be usable with AnyConnect also

Here are some sample configuration. These naturally dont reflect a real life situation but just an example configuration related to using Split Tunnel or Full Tunnel

VPN Pool

ip local pool TESTI 10.100.100.1-10.100.100.10 mask 255.255.255.0

Split Tunnel ACL

access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

Original Group Policy

group-policy TEST internal

group-policy TEST attributes

vpn-tunnel-protocol ikev1

group-lock value TEST

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

Tunnel Group

tunnel-group TEST type remote-access

tunnel-group TEST general-attributes

address-pool TEST

default-group-policy TEST

tunnel-group TESTI ipsec-attributes

ikev1 pre-shared-key *****

Typical Username Configuration

username test password TaXO5ggjuKP7lCEW encrypted privilege 0

username test attributes

vpn-group-policy TEST

group-lock value TEST

service-type remote-access

User Specific Group Policy

group-policy FULL-TUNNEL internal

group-policy FULL-TUNNEL attributes

group-lock value TEST

split-tunnel-policy tunnelall

address-pools value TEST

New Username using Full Tunnel

username test2 password Gd7DkJmlJsKzP4fc encrypted privilege 0

username test2 attributes

vpn-group-policy FULL-TUNNEL

group-lock value TEST

service-type remote-access

As I said, the above configurations lack many basic settings like DNS servers, NAT configurations, etc

Hopefully this helps

Please remember to rate and/or mark the question as answered if it did.

Naturally ask more if needed

- Jouni

0 Helpful

alkabeer80
Level 1
Level 1
In response to Jouni Forss

‎04-20-2013 02:36 AM

Hi JouniForss,

thanks for your reply, users are authenticated throgh AD and ACS, i have no problem to create local user for full tunnel.

but how i will attach the local user to group policy ( i mean how the traffic will follow if i have group authentciated through AD and local user how authentication happen ?)

thanks

0 Helpful

Matt Lang
Level 1
Level 1
In response to alkabeer80

‎04-24-2013 02:38 PM

If you are authenticating your users against your AD via LDAP, you can create an LDAP attribute map that will direct users to specific group policies.  So for example, if a user is a member of the VPN-SPLIT-TUNNEL security group in AD, then they would get directed to use the group policy that allows for split tunneling.  On the other hand, if another user is a member of the VPN-TUNNEL-EVERYTHING security group in AD, that user would be directed to the group policy that tunnels all networks.

Matt

0 Helpful
Customers Also Viewed These Support Documents