Re: OT: ASA Split-Tunnels

Thanks Brad. I fear I still have a problem though, because my home network
is 10.1.0.0/16 but the corporate network uses address space in all three of
the RFC1918 allocations. So, if I used an exclusion like you have done I
would have to find a way to exclude 10.0.0.0/8, 172.16.0.0/12, and
192.168.0.0/16 but not exclude 10.1.0.0/16 at the same time and THAT is my
problem here.

Too bad ASA ACLs don't use wildcard masks or I could get creative there....

On Tue, Sep 6, 2011 at 9:49 AM, Brad Edgeworth <edgie512_at_gmail.com> wrote:

> Joe, that is correct... I used to do the same thing to allow me to keep
> a VPN connection up to my home network (while at work) and still access work
> resources (& bypass corporate Internet proxies...) :-)
>
> Here is a snippet of relevant config on my Home ASA.
>
>
> group-policy GP_SVC_SPLIT_EXCEPT attributes
> banner value This is SPLIT-TUNNELLED-EXCEPT.
> split-tunnel-policy excludespecified
> split-tunnel-network-list value ANYCONNECT_SPLITTUNNEL_EXCEPT
>
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.0.0.0
> 255.0.0.0
>
>
>
> My corporate space was 10.0.0.0/8 & my home space was 192.168.0.0/16
>
> -Brad
>
>
> On Tue, Sep 6, 2011 at 8:32 AM, Joe Astorino <joeastorino1982_at_gmail.com>wrote:
>
>
>> Thanks for the feedback. I'm not sure I'm following you though. Let's
>> make
>> sure we are on the same page
>>
>> The network I want to access behind the ASA is 10.1.0.0/16. I also want
>> to
>> tunnel through the ASA for internet access. The corporate network I am
>> accessing the VPN from is the rest of the RFC1918 space. I want to be
>> able
>> to remain connected to corporate resources while at the same time tunnel
>> traffic to 10.1.0.0/16 and the internet.
>>
>> When you say "interesting traffic ACL" do you mean the ACL used for the
>> split tunnel? This is remote access VPN so I'm not sure I follow.
>> Secondly, if I used a VPN filter, wouldn't that just block the traffic
>> after
>> it was already tunneled to the ASA?
>>
>> On Tue, Sep 6, 2011 at 9:24 AM, Ryan West <rwest_at_zyedge.com> wrote:
>>
>> > I've done interesting traffic acls like this. You could us a vpn-filter
>> to
>> > block the traffic.
>> >
>> > Sent from handheld
>> >
>> > On Sep 6, 2011, at 8:17 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
>> >
>> > > Right, you are right - my memory must be getting foggy on it. Thanks!
>> > >
>> > > On Tue, Sep 6, 2011 at 2:06 PM, Timothy Chin <tim_at_1csol.com> wrote:
>> > >
>> > >> I don't think an extended ACL is required for split tunnels. I've
>> > >> configured them using standard ACLs with no problems.
>> > >>
>> > >> Timothy Chin
>> > >> CCIE #23866
>> > >>
>> > >> -----Original Message-----
>> > >> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> Of
>> > >> Sadiq Yakasai
>> > >> Sent: Tuesday, September 06, 2011 9:02 AM
>> > >> To: Joe Astorino
>> > >> Cc: Cisco certification
>> > >> Subject: Re: OT: ASA Split-Tunnels
>> > >>
>> > >> Hi Joe,
>> > >>
>> > >> First, to split-tunnel, you require an extended ACL.
>> > >>
>> > >> Secondly, can you be abit more informative with the topology please?
>> Are
>> > >> you
>> > >> terminating the SSL on the outside? But the split tunnelled networks
>> sit
>> > >> on
>> > >> the "inside" of the ASA" I havent worked this one out from your post.
>> > >>
>> > >> Below is an example:
>> > >>
>> > >> access-list SPLIT_TUNNEL extended permit ip 132.1.0.0 255.255.0.0 any
>> > >> access-list SPLIT_TUNNEL extended permit ip 150.1.0.0 255.255.0.0 any
>> > >>
>> > >> This would basically funnels these networks through the tunnel.
>> > >> Everything
>> > >> else does NOT go through the tunnel. If you do not specify an ACL,
>> then
>> > >> everything goes through the tunnel. You do not put deny statements in
>> > >> the
>> > >> ACL (to exclude networks via the tunnel).
>> > >>
>> > >> Thanks,
>> > >> Sadiq
>> > >>
>> > >>
>> > >>
>> > >> On Tue, Sep 6, 2011 at 1:47 PM, Joe Astorino
>> > >> <joeastorino1982_at_gmail.com>wrote:
>> > >>
>> > >>> Hey guys! I think the answer to this question is "no" based on the
>> > >>> research
>> > >>> I've done, but being that I am not an ASA expert (yet), I thought I
>> > >> would
>> > >>> ask if anybody knows a solution to this problem.
>> > >>>
>> > >>> The problem: I have an SSL VPN connection set up at home. When I am
>> > >> VPN in
>> > >>> I actually want internet tunneled through the ASA. I want to tunnel
>> > >>> traffic
>> > >>> to the LAN 10.1.0.0/16 as well as all internet access through the
>> ASA
>> > >>> while
>> > >>> at the same time NOT tunneling traffic to other internal IP
>> addresses.
>> > >> So
>> > >>> logically, it would be something like
>> > >>>
>> > >>> access-list 1 standard permit 10.1.0.0 255.255.0.0
>> > >>> access-list 1 standard deny 10.0.0.0 255.0.0.0
>> > >>> access-list 1 standard deny 172.16.0.0 255.240.0.0
>> > >>> access-list 1 standard deny 192.168.0.0 255.255.0.0
>> > >>> access-list 1 standard permit any
>> > >>>
>> > >>> I don't think deny is a valid option in the ACL though. Any way to
>> > >>> accomplish that?
>> > >>>
>> > >>> --
>> > >>> Regards,
>> > >>>
>> > >>> Joe Astorino
>> > >>> CCIE #24347
>> > >>> Blog: http://astorinonetworks.com
>> > >>>
>> > >>> "He not busy being born is busy dying" - Dylan
>> > >>>
>> > >>>
>> > >>> Blogs and organic groups at http://www.ccie.net
>> > >>>
>> > >>>
>> > >>
>> _______________________________________________________________________
>> > >>> Subscription information may be found at:
>> > >>> http://www.groupstudy.com/list/CCIELab.html
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>
>> > >>
>> > >> --
>> > >> CCIEx2 (R&S|Sec) #19963
>> > >>
>> > >>
>> > >> Blogs and organic groups at http://www.ccie.net
>> > >>
>> > >>
>> _______________________________________________________________________
>> > >> Subscription information may be found at:
>> > >> http://www.groupstudy.com/list/CCIELab.html
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >
>> > >
>> > > --
>> > > CCIEx2 (R&S|Sec) #19963
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>>
>>
>>
>>
>> --
>>
>> Regards,
>>
>> Joe Astorino
>> CCIE #24347
>> Blog: http://astorinonetworks.com
>>
>> "He not busy being born is busy dying" - Dylan
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>

-- 
Regards,
Joe Astorino
CCIE #24347
Blog: http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net