Re: OT: ASA Split-Tunnels

Joe, that is correct... I used to do the same thing to allow me to keep a
VPN connection up to my home network (while at work) and still access work
resources (& bypass corporate Internet proxies...) :-)

Here is a snippet of relevant config on my Home ASA.

group-policy GP_SVC_SPLIT_EXCEPT attributes
 banner value This is SPLIT-TUNNELLED-EXCEPT.
 split-tunnel-policy excludespecified
 split-tunnel-network-list value ANYCONNECT_SPLITTUNNEL_EXCEPT

 access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.0.0.0
255.0.0.0

My corporate space was 10.0.0.0/8 & my home space was 192.168.0.0/16

-Brad

On Tue, Sep 6, 2011 at 8:32 AM, Joe Astorino <joeastorino1982_at_gmail.com>wrote:

> Thanks for the feedback. I'm not sure I'm following you though. Let's
> make
> sure we are on the same page
>
> The network I want to access behind the ASA is 10.1.0.0/16. I also want
> to
> tunnel through the ASA for internet access. The corporate network I am
> accessing the VPN from is the rest of the RFC1918 space. I want to be able
> to remain connected to corporate resources while at the same time tunnel
> traffic to 10.1.0.0/16 and the internet.
>
> When you say "interesting traffic ACL" do you mean the ACL used for the
> split tunnel? This is remote access VPN so I'm not sure I follow.
> Secondly, if I used a VPN filter, wouldn't that just block the traffic
> after
> it was already tunneled to the ASA?
>
> On Tue, Sep 6, 2011 at 9:24 AM, Ryan West <rwest_at_zyedge.com> wrote:
>
> > I've done interesting traffic acls like this. You could us a vpn-filter
> to
> > block the traffic.
> >
> > Sent from handheld
> >
> > On Sep 6, 2011, at 8:17 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
> >
> > > Right, you are right - my memory must be getting foggy on it. Thanks!
> > >
> > > On Tue, Sep 6, 2011 at 2:06 PM, Timothy Chin <tim_at_1csol.com> wrote:
> > >
> > >> I don't think an extended ACL is required for split tunnels. I've
> > >> configured them using standard ACLs with no problems.
> > >>
> > >> Timothy Chin
> > >> CCIE #23866
> > >>
> > >> -----Original Message-----
> > >> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
> > >> Sadiq Yakasai
> > >> Sent: Tuesday, September 06, 2011 9:02 AM
> > >> To: Joe Astorino
> > >> Cc: Cisco certification
> > >> Subject: Re: OT: ASA Split-Tunnels
> > >>
> > >> Hi Joe,
> > >>
> > >> First, to split-tunnel, you require an extended ACL.
> > >>
> > >> Secondly, can you be abit more informative with the topology please?
> Are
> > >> you
> > >> terminating the SSL on the outside? But the split tunnelled networks
> sit
> > >> on
> > >> the "inside" of the ASA" I havent worked this one out from your post.
> > >>
> > >> Below is an example:
> > >>
> > >> access-list SPLIT_TUNNEL extended permit ip 132.1.0.0 255.255.0.0 any
> > >> access-list SPLIT_TUNNEL extended permit ip 150.1.0.0 255.255.0.0 any
> > >>
> > >> This would basically funnels these networks through the tunnel.
> > >> Everything
> > >> else does NOT go through the tunnel. If you do not specify an ACL,
> then
> > >> everything goes through the tunnel. You do not put deny statements in
> > >> the
> > >> ACL (to exclude networks via the tunnel).
> > >>
> > >> Thanks,
> > >> Sadiq
> > >>
> > >>
> > >>
> > >> On Tue, Sep 6, 2011 at 1:47 PM, Joe Astorino
> > >> <joeastorino1982_at_gmail.com>wrote:
> > >>
> > >>> Hey guys! I think the answer to this question is "no" based on the
> > >>> research
> > >>> I've done, but being that I am not an ASA expert (yet), I thought I
> > >> would
> > >>> ask if anybody knows a solution to this problem.
> > >>>
> > >>> The problem: I have an SSL VPN connection set up at home. When I am
> > >> VPN in
> > >>> I actually want internet tunneled through the ASA. I want to tunnel
> > >>> traffic
> > >>> to the LAN 10.1.0.0/16 as well as all internet access through the
> ASA
> > >>> while
> > >>> at the same time NOT tunneling traffic to other internal IP
> addresses.
> > >> So
> > >>> logically, it would be something like
> > >>>
> > >>> access-list 1 standard permit 10.1.0.0 255.255.0.0
> > >>> access-list 1 standard deny 10.0.0.0 255.0.0.0
> > >>> access-list 1 standard deny 172.16.0.0 255.240.0.0
> > >>> access-list 1 standard deny 192.168.0.0 255.255.0.0
> > >>> access-list 1 standard permit any
> > >>>
> > >>> I don't think deny is a valid option in the ACL though. Any way to
> > >>> accomplish that?
> > >>>
> > >>> --
> > >>> Regards,
> > >>>
> > >>> Joe Astorino
> > >>> CCIE #24347
> > >>> Blog: http://astorinonetworks.com
> > >>>
> > >>> "He not busy being born is busy dying" - Dylan
> > >>>
> > >>>
> > >>> Blogs and organic groups at http://www.ccie.net
> > >>>
> > >>>
> > >>
> _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > >>
> > >> --
> > >> CCIEx2 (R&S|Sec) #19963
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> > > --
> > > CCIEx2 (R&S|Sec) #19963
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
>
>
>
>
> --
>
> Regards,
>
> Joe Astorino
> CCIE #24347
> Blog: http://astorinonetworks.com
>
> "He not busy being born is busy dying" - Dylan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Sep 06 2011 - 08:49:27 ART