RE: OT: ASA Split-Tunnels from Joseph L. Brunner on 2011-09-06 (Ccielab archives 09/2011)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Tue, 6 Sep 2011 14:05:49 +0000

>Anyways, anybody know if it is possible to accomplish this goal of denying some networks but allowing others?

Once you split tunnel, anything not explicitly tunneled is bypassed at the client.

You can apply an ACL to either SSLVPN Anyconnect (full tunnel) or ipsec tunnel client's to LIMIT what they can talk to even within networks they have been sent via the split acl.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Joe Astorino
Sent: Tuesday, September 06, 2011 9:15 AM
To: Sadiq Yakasai
Cc: Timothy Chin; Cisco certification
Subject: Re: OT: ASA Split-Tunnels

Yes, you can configure with extended ACL but only the first part (source) is
taken into account : )

Anyways, anybody know if it is possible to accomplish this goal of denying
some networks but allowing others?

On Tue, Sep 6, 2011 at 9:13 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> Right, you are right - my memory must be getting foggy on it. Thanks!
>
>
> On Tue, Sep 6, 2011 at 2:06 PM, Timothy Chin <tim_at_1csol.com> wrote:
>
>> I don't think an extended ACL is required for split tunnels. I've
>> configured them using standard ACLs with no problems.
>>
>> Timothy Chin
>> CCIE #23866
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Sadiq Yakasai
>> Sent: Tuesday, September 06, 2011 9:02 AM
>> To: Joe Astorino
>> Cc: Cisco certification
>> Subject: Re: OT: ASA Split-Tunnels
>>
>> Hi Joe,
>>
>> First, to split-tunnel, you require an extended ACL.
>>
>> Secondly, can you be abit more informative with the topology please? Are
>> you
>> terminating the SSL on the outside? But the split tunnelled networks sit
>> on
>> the "inside" of the ASA" I havent worked this one out from your post.
>>
>> Below is an example:
>>
>> access-list SPLIT_TUNNEL extended permit ip 132.1.0.0 255.255.0.0 any
>> access-list SPLIT_TUNNEL extended permit ip 150.1.0.0 255.255.0.0 any
>>
>> This would basically funnels these networks through the tunnel.
>> Everything
>> else does NOT go through the tunnel. If you do not specify an ACL, then
>> everything goes through the tunnel. You do not put deny statements in
>> the
>> ACL (to exclude networks via the tunnel).
>>
>> Thanks,
>> Sadiq
>>
>>
>>
>> On Tue, Sep 6, 2011 at 1:47 PM, Joe Astorino
>> <joeastorino1982_at_gmail.com>wrote:
>>
>> > Hey guys! I think the answer to this question is "no" based on the
>> > research
>> > I've done, but being that I am not an ASA expert (yet), I thought I
>> would
>> > ask if anybody knows a solution to this problem.
>> >
>> > The problem: I have an SSL VPN connection set up at home. When I am
>> VPN in
>> > I actually want internet tunneled through the ASA. I want to tunnel
>> > traffic
>> > to the LAN 10.1.0.0/16 as well as all internet access through the ASA
>> > while
>> > at the same time NOT tunneling traffic to other internal IP addresses.
>> So
>> > logically, it would be something like
>> >
>> > access-list 1 standard permit 10.1.0.0 255.255.0.0
>> > access-list 1 standard deny 10.0.0.0 255.0.0.0
>> > access-list 1 standard deny 172.16.0.0 255.240.0.0
>> > access-list 1 standard deny 192.168.0.0 255.255.0.0
>> > access-list 1 standard permit any
>> >
>> > I don't think deny is a valid option in the ACL though. Any way to
>> > accomplish that?
>> >
>> > --
>> > Regards,
>> >
>> > Joe Astorino
>> > CCIE #24347
>> > Blog: http://astorinonetworks.com
>> >
>> > "He not busy being born is busy dying" - Dylan
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> >
>> _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> CCIEx2 (R&S|Sec) #19963
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>

-- 
Regards,
Joe Astorino
CCIE #24347
Blog: http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net

Received on Tue Sep 06 2011 - 14:05:49 ART

This archive was generated by hypermail 2.2.0 : Sat Oct 01 2011 - 07:26:25 ART