RE: OT: ASA Split-Tunnels

Are you set on doing it this way because the work FW/proxy/whatever only
allows an exclusion for SSL to your home address? If not (SSL is open)
then just tunnel the home network traffic and use a different method to
bypass proxy/web filtering, I use an ironkey for instance that has its
own TOR network.

Or if this is just an exercise, carry on. ;)

Steve Means
CCSP/CCNP
CCSI# 32951
Instructor / Consultant
Email: smeans_at_ccbootcamp.com
Toll Free: 877-654-2243
International: +1-702-968-5100
Skype: skype:ccbootcamp?call
FAX: +1-702-446-0357
Training And Remote Racks: http://www.ccbootcamp.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Joe Astorino
Sent: Tuesday, September 06, 2011 7:02 AM
To: Brad Edgeworth
Cc: Ryan West; Sadiq Yakasai; Timothy Chin; Cisco certification
Subject: Re: OT: ASA Split-Tunnels

I suppose if I really wanted to I could get nasty with the ACL like
this...basically excluding everything except the entire 10.0.0.0/8 minus
my
10.1.0.0/16. I wanted to avoid that though is possible.

access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard remark 10.0.0.0 -
10.31.255.255 ...
access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.0.0.0
255.255.0.0
access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.2.0.0
255.255.0.0
access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.3.0.0
255.255.0.0
access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.4.0.0
255.255.0.0
...
...
access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.31.0.0
255.255.0.0

access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard remark 10.32.0.0 -
10.127.255.255
access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.32.0.0
255.224.0.0
access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.64.0.0
255.224.0.0
access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.96.0.0
255.224.0.0

access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard remark 10.128.0.0 -
10.255.255.255
access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.128.0.0
255.128.0.0

access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard remark other RFC1918
access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 172.16.0.0
255.240.0.0
access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 192.168.0.0
255.255.0.0

On Tue, Sep 6, 2011 at 9:54 AM, Joe Astorino
<joeastorino1982_at_gmail.com>wrote:

> Thanks Brad. I fear I still have a problem though, because my home
network
> is 10.1.0.0/16 but the corporate network uses address space in all
three
> of the RFC1918 allocations. So, if I used an exclusion like you have
done I
> would have to find a way to exclude 10.0.0.0/8, 172.16.0.0/12, and
> 192.168.0.0/16 but not exclude 10.1.0.0/16 at the same time and THAT
is
> my problem here.
>
> Too bad ASA ACLs don't use wildcard masks or I could get creative
there....
>
>
>
>
>
> On Tue, Sep 6, 2011 at 9:49 AM, Brad Edgeworth <edgie512_at_gmail.com>
wrote:
>
>> Joe, that is correct... I used to do the same thing to allow me to
keep
>> a VPN connection up to my home network (while at work) and still
access work
>> resources (& bypass corporate Internet proxies...) :-)
>>
>> Here is a snippet of relevant config on my Home ASA.
>>
>>
>> group-policy GP_SVC_SPLIT_EXCEPT attributes
>> banner value This is SPLIT-TUNNELLED-EXCEPT.
>> split-tunnel-policy excludespecified
>> split-tunnel-network-list value ANYCONNECT_SPLITTUNNEL_EXCEPT
>>
>> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.0.0.0
>> 255.0.0.0
>>
>>
>>
>> My corporate space was 10.0.0.0/8 & my home space was 192.168.0.0/16
>>
>> -Brad
>>
>>
>> On Tue, Sep 6, 2011 at 8:32 AM, Joe Astorino
<joeastorino1982_at_gmail.com>wrote:
>>
>>
>>> Thanks for the feedback. I'm not sure I'm following you though.
Let's
>>> make
>>> sure we are on the same page
>>>
>>> The network I want to access behind the ASA is 10.1.0.0/16. I also
want
>>> to
>>> tunnel through the ASA for internet access. The corporate network I
am
>>> accessing the VPN from is the rest of the RFC1918 space. I want to
be
>>> able
>>> to remain connected to corporate resources while at the same time
tunnel
>>> traffic to 10.1.0.0/16 and the internet.
>>>
>>> When you say "interesting traffic ACL" do you mean the ACL used for
the
>>> split tunnel? This is remote access VPN so I'm not sure I follow.
>>> Secondly, if I used a VPN filter, wouldn't that just block the
traffic
>>> after
>>> it was already tunneled to the ASA?
>>>
>>> On Tue, Sep 6, 2011 at 9:24 AM, Ryan West <rwest_at_zyedge.com>
wrote:
>>>
>>> > I've done interesting traffic acls like this. You could us a
vpn-filter
>>> to
>>> > block the traffic.
>>> >
>>> > Sent from handheld
>>> >
>>> > On Sep 6, 2011, at 8:17 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>> wrote:
>>> >
>>> > > Right, you are right - my memory must be getting foggy on it.
Thanks!
>>> > >
>>> > > On Tue, Sep 6, 2011 at 2:06 PM, Timothy Chin <tim_at_1csol.com>
wrote:
>>> > >
>>> > >> I don't think an extended ACL is required for split tunnels.
I've
>>> > >> configured them using standard ACLs with no problems.
>>> > >>
>>> > >> Timothy Chin
>>> > >> CCIE #23866
>>> > >>
>>> > >> -----Original Message-----
>>> > >> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>>> Behalf Of
>>> > >> Sadiq Yakasai
>>> > >> Sent: Tuesday, September 06, 2011 9:02 AM
>>> > >> To: Joe Astorino
>>> > >> Cc: Cisco certification
>>> > >> Subject: Re: OT: ASA Split-Tunnels
>>> > >>
>>> > >> Hi Joe,
>>> > >>
>>> > >> First, to split-tunnel, you require an extended ACL.
>>> > >>
>>> > >> Secondly, can you be abit more informative with the topology
please?
>>> Are
>>> > >> you
>>> > >> terminating the SSL on the outside? But the split tunnelled
networks
>>> sit
>>> > >> on
>>> > >> the "inside" of the ASA" I havent worked this one out from your
>>> post.
>>> > >>
>>> > >> Below is an example:
>>> > >>
>>> > >> access-list SPLIT_TUNNEL extended permit ip 132.1.0.0
255.255.0.0
>>> any
>>> > >> access-list SPLIT_TUNNEL extended permit ip 150.1.0.0
255.255.0.0
>>> any
>>> > >>
>>> > >> This would basically funnels these networks through the tunnel.
>>> > >> Everything
>>> > >> else does NOT go through the tunnel. If you do not specify an
ACL,
>>> then
>>> > >> everything goes through the tunnel. You do not put deny
statements
>>> in
>>> > >> the
>>> > >> ACL (to exclude networks via the tunnel).
>>> > >>
>>> > >> Thanks,
>>> > >> Sadiq
>>> > >>
>>> > >>
>>> > >>
>>> > >> On Tue, Sep 6, 2011 at 1:47 PM, Joe Astorino
>>> > >> <joeastorino1982_at_gmail.com>wrote:
>>> > >>
>>> > >>> Hey guys! I think the answer to this question is "no" based
on the
>>> > >>> research
>>> > >>> I've done, but being that I am not an ASA expert (yet), I
thought I
>>> > >> would
>>> > >>> ask if anybody knows a solution to this problem.
>>> > >>>
>>> > >>> The problem: I have an SSL VPN connection set up at home.
When I
>>> am
>>> > >> VPN in
>>> > >>> I actually want internet tunneled through the ASA. I want to
>>> tunnel
>>> > >>> traffic
>>> > >>> to the LAN 10.1.0.0/16 as well as all internet access through
the
>>> ASA
>>> > >>> while
>>> > >>> at the same time NOT tunneling traffic to other internal IP
>>> addresses.
>>> > >> So
>>> > >>> logically, it would be something like
>>> > >>>
>>> > >>> access-list 1 standard permit 10.1.0.0 255.255.0.0
>>> > >>> access-list 1 standard deny 10.0.0.0 255.0.0.0
>>> > >>> access-list 1 standard deny 172.16.0.0 255.240.0.0
>>> > >>> access-list 1 standard deny 192.168.0.0 255.255.0.0
>>> > >>> access-list 1 standard permit any
>>> > >>>
>>> > >>> I don't think deny is a valid option in the ACL though. Any
way to
>>> > >>> accomplish that?
>>> > >>>
>>> > >>> --
>>> > >>> Regards,
>>> > >>>
>>> > >>> Joe Astorino
>>> > >>> CCIE #24347
>>> > >>> Blog: http://astorinonetworks.com
>>> > >>>
>>> > >>> "He not busy being born is busy dying" - Dylan
>>> > >>>
>>> > >>>
>>> > >>> Blogs and organic groups at http://www.ccie.net
>>> > >>>
>>> > >>>
>>> > >>
>>>
Received on Tue Sep 06 2011 - 07:50:25 ART