Re: OT: ASA Split-Tunnels

Yes, you can configure with extended ACL but only the first part (source) is
taken into account : )

Anyways, anybody know if it is possible to accomplish this goal of denying
some networks but allowing others?

On Tue, Sep 6, 2011 at 9:13 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> Right, you are right - my memory must be getting foggy on it. Thanks!
>
>
> On Tue, Sep 6, 2011 at 2:06 PM, Timothy Chin <tim_at_1csol.com> wrote:
>
>> I don't think an extended ACL is required for split tunnels. I've
>> configured them using standard ACLs with no problems.
>>
>> Timothy Chin
>> CCIE #23866
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Sadiq Yakasai
>> Sent: Tuesday, September 06, 2011 9:02 AM
>> To: Joe Astorino
>> Cc: Cisco certification
>> Subject: Re: OT: ASA Split-Tunnels
>>
>> Hi Joe,
>>
>> First, to split-tunnel, you require an extended ACL.
>>
>> Secondly, can you be abit more informative with the topology please? Are
>> you
>> terminating the SSL on the outside? But the split tunnelled networks sit
>> on
>> the "inside" of the ASA" I havent worked this one out from your post.
>>
>> Below is an example:
>>
>> access-list SPLIT_TUNNEL extended permit ip 132.1.0.0 255.255.0.0 any
>> access-list SPLIT_TUNNEL extended permit ip 150.1.0.0 255.255.0.0 any
>>
>> This would basically funnels these networks through the tunnel.
>> Everything
>> else does NOT go through the tunnel. If you do not specify an ACL, then
>> everything goes through the tunnel. You do not put deny statements in
>> the
>> ACL (to exclude networks via the tunnel).
>>
>> Thanks,
>> Sadiq
>>
>>
>>
>> On Tue, Sep 6, 2011 at 1:47 PM, Joe Astorino
>> <joeastorino1982_at_gmail.com>wrote:
>>
>> > Hey guys! I think the answer to this question is "no" based on the
>> > research
>> > I've done, but being that I am not an ASA expert (yet), I thought I
>> would
>> > ask if anybody knows a solution to this problem.
>> >
>> > The problem: I have an SSL VPN connection set up at home. When I am
>> VPN in
>> > I actually want internet tunneled through the ASA. I want to tunnel
>> > traffic
>> > to the LAN 10.1.0.0/16 as well as all internet access through the ASA
>> > while
>> > at the same time NOT tunneling traffic to other internal IP addresses.
>> So
>> > logically, it would be something like
>> >
>> > access-list 1 standard permit 10.1.0.0 255.255.0.0
>> > access-list 1 standard deny 10.0.0.0 255.0.0.0
>> > access-list 1 standard deny 172.16.0.0 255.240.0.0
>> > access-list 1 standard deny 192.168.0.0 255.255.0.0
>> > access-list 1 standard permit any
>> >
>> > I don't think deny is a valid option in the ACL though. Any way to
>> > accomplish that?
>> >
>> > --
>> > Regards,
>> >
>> > Joe Astorino
>> > CCIE #24347
>> > Blog: http://astorinonetworks.com
>> >
>> > "He not busy being born is busy dying" - Dylan
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> >
>> _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> CCIEx2 (R&S|Sec) #19963
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>

-- 
Regards,
Joe Astorino
CCIE #24347
Blog: http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net