Re: OT: ASA Split-Tunnels from Sadiq Yakasai on 2011-09-06 (Ccielab archives 09/2011)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Tue, 6 Sep 2011 14:01:43 +0100

Hi Joe,

First, to split-tunnel, you require an extended ACL.

Secondly, can you be abit more informative with the topology please? Are you
terminating the SSL on the outside? But the split tunnelled networks sit on
the "inside" of the ASA" I havent worked this one out from your post.

Below is an example:

access-list SPLIT_TUNNEL extended permit ip 132.1.0.0 255.255.0.0 any
access-list SPLIT_TUNNEL extended permit ip 150.1.0.0 255.255.0.0 any

This would basically funnels these networks through the tunnel. Everything
else does NOT go through the tunnel. If you do not specify an ACL, then
everything goes through the tunnel. You do not put deny statements in the
ACL (to exclude networks via the tunnel).

Thanks,
Sadiq

On Tue, Sep 6, 2011 at 1:47 PM, Joe Astorino <joeastorino1982_at_gmail.com>wrote:

> Hey guys! I think the answer to this question is "no" based on the
> research
> I've done, but being that I am not an ASA expert (yet), I thought I would
> ask if anybody knows a solution to this problem.
>
> The problem: I have an SSL VPN connection set up at home. When I am VPN in
> I actually want internet tunneled through the ASA. I want to tunnel
> traffic
> to the LAN 10.1.0.0/16 as well as all internet access through the ASA
> while
> at the same time NOT tunneling traffic to other internal IP addresses. So
> logically, it would be something like
>
> access-list 1 standard permit 10.1.0.0 255.255.0.0
> access-list 1 standard deny 10.0.0.0 255.0.0.0
> access-list 1 standard deny 172.16.0.0 255.240.0.0
> access-list 1 standard deny 192.168.0.0 255.255.0.0
> access-list 1 standard permit any
>
> I don't think deny is a valid option in the ACL though. Any way to
> accomplish that?
>
> --
> Regards,
>
> Joe Astorino
> CCIE #24347
> Blog: http://astorinonetworks.com
>
> "He not busy being born is busy dying" - Dylan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net

Received on Tue Sep 06 2011 - 14:01:43 ART

This archive was generated by hypermail 2.2.0 : Sat Oct 01 2011 - 07:26:25 ART