Re: OT: ASA Split-Tunnels from Joe Astorino on 2011-09-06 (Ccielab archives 09/2011)

From: Joe Astorino <joeastorino1982_at_gmail.com>
Date: Tue, 6 Sep 2011 09:04:26 -0400

Every example I have seen actually says the ACL should be a standard ACL.
See
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#s2

The topology is simple. The ASA has a connection to the internet on the
outside where SSL VPN is terminated. On the inside, is 10.1.0.0/16. When I
access the VPN remotely, I would like to tunnel traffic destined to
10.1.0.0/16 and the internet but NOT any other RFC1918 address space.

On Tue, Sep 6, 2011 at 9:01 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> Hi Joe,
>
> First, to split-tunnel, you require an extended ACL.
>
> Secondly, can you be abit more informative with the topology please? Are
> you terminating the SSL on the outside? But the split tunnelled networks sit
> on the "inside" of the ASA" I havent worked this one out from your post.
>
> Below is an example:
>
> access-list SPLIT_TUNNEL extended permit ip 132.1.0.0 255.255.0.0 any
> access-list SPLIT_TUNNEL extended permit ip 150.1.0.0 255.255.0.0 any
>
> This would basically funnels these networks through the tunnel. Everything
> else does NOT go through the tunnel. If you do not specify an ACL, then
> everything goes through the tunnel. You do not put deny statements in the
> ACL (to exclude networks via the tunnel).
>
> Thanks,
> Sadiq
>
>
>
> On Tue, Sep 6, 2011 at 1:47 PM, Joe Astorino <joeastorino1982_at_gmail.com>wrote:
>
>> Hey guys! I think the answer to this question is "no" based on the
>> research
>> I've done, but being that I am not an ASA expert (yet), I thought I would
>> ask if anybody knows a solution to this problem.
>>
>> The problem: I have an SSL VPN connection set up at home. When I am VPN
>> in
>> I actually want internet tunneled through the ASA. I want to tunnel
>> traffic
>> to the LAN 10.1.0.0/16 as well as all internet access through the ASA
>> while
>> at the same time NOT tunneling traffic to other internal IP addresses. So
>> logically, it would be something like
>>
>> access-list 1 standard permit 10.1.0.0 255.255.0.0
>> access-list 1 standard deny 10.0.0.0 255.0.0.0
>> access-list 1 standard deny 172.16.0.0 255.240.0.0
>> access-list 1 standard deny 192.168.0.0 255.255.0.0
>> access-list 1 standard permit any
>>
>> I don't think deny is a valid option in the ACL though. Any way to
>> accomplish that?
>>
>> --
>> Regards,
>>
>> Joe Astorino
>> CCIE #24347
>> Blog: http://astorinonetworks.com
>>
>> "He not busy being born is busy dying" - Dylan
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>

-- 
Regards,
Joe Astorino
CCIE #24347
Blog: http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net

Received on Tue Sep 06 2011 - 09:04:26 ART

This archive was generated by hypermail 2.2.0 : Sat Oct 01 2011 - 07:26:25 ART