Re: OT: ASA Split-Tunnels

Right, you are right - my memory must be getting foggy on it. Thanks!

On Tue, Sep 6, 2011 at 2:06 PM, Timothy Chin <tim_at_1csol.com> wrote:

> I don't think an extended ACL is required for split tunnels. I've
> configured them using standard ACLs with no problems.
>
> Timothy Chin
> CCIE #23866
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Sadiq Yakasai
> Sent: Tuesday, September 06, 2011 9:02 AM
> To: Joe Astorino
> Cc: Cisco certification
> Subject: Re: OT: ASA Split-Tunnels
>
> Hi Joe,
>
> First, to split-tunnel, you require an extended ACL.
>
> Secondly, can you be abit more informative with the topology please? Are
> you
> terminating the SSL on the outside? But the split tunnelled networks sit
> on
> the "inside" of the ASA" I havent worked this one out from your post.
>
> Below is an example:
>
> access-list SPLIT_TUNNEL extended permit ip 132.1.0.0 255.255.0.0 any
> access-list SPLIT_TUNNEL extended permit ip 150.1.0.0 255.255.0.0 any
>
> This would basically funnels these networks through the tunnel.
> Everything
> else does NOT go through the tunnel. If you do not specify an ACL, then
> everything goes through the tunnel. You do not put deny statements in
> the
> ACL (to exclude networks via the tunnel).
>
> Thanks,
> Sadiq
>
>
>
> On Tue, Sep 6, 2011 at 1:47 PM, Joe Astorino
> <joeastorino1982_at_gmail.com>wrote:
>
> > Hey guys! I think the answer to this question is "no" based on the
> > research
> > I've done, but being that I am not an ASA expert (yet), I thought I
> would
> > ask if anybody knows a solution to this problem.
> >
> > The problem: I have an SSL VPN connection set up at home. When I am
> VPN in
> > I actually want internet tunneled through the ASA. I want to tunnel
> > traffic
> > to the LAN 10.1.0.0/16 as well as all internet access through the ASA
> > while
> > at the same time NOT tunneling traffic to other internal IP addresses.
> So
> > logically, it would be something like
> >
> > access-list 1 standard permit 10.1.0.0 255.255.0.0
> > access-list 1 standard deny 10.0.0.0 255.0.0.0
> > access-list 1 standard deny 172.16.0.0 255.240.0.0
> > access-list 1 standard deny 192.168.0.0 255.255.0.0
> > access-list 1 standard permit any
> >
> > I don't think deny is a valid option in the ACL though. Any way to
> > accomplish that?
> >
> > --
> > Regards,
> >
> > Joe Astorino
> > CCIE #24347
> > Blog: http://astorinonetworks.com
> >
> > "He not busy being born is busy dying" - Dylan
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net