RE: OT: ASA Split-Tunnels

That can't be done (or at least I have never seen anyone do one route + deny
some + then default.

The split tunnel acl works off the "permit" option.

But let's see what the group can think of. We simply use the deny acl on the
connecting user's tunnel to prevent individual network or host access, while
"advertising" the subnet to their vpn client via split tunnel acl

From: Joe Astorino [mailto:joeastorino1982_at_gmail.com]
Sent: Tuesday, September 06, 2011 10:12 AM
To: Joseph L. Brunner
Cc: Sadiq Yakasai; Timothy Chin; Cisco certification
Subject: Re: OT: ASA Split-Tunnels

Thanks Joseph, but I don't want to filter the traffic after it is tunneled to
the ASA, I want to prevent traffic destined to anything except
10.1.0.0/16<http://10.1.0.0/16> or the internet from being tunneled in the
first place. If I filter after the traffic is already tunneled that won't
help me.

For example, if I want access to 10.1.0.0/16<http://10.1.0.0/16> and the
internet over the vpn I would need to explicitly tunnel
10.1.0.0/16<http://10.1.0.0/16> and 0.0.0.0. The 0.0.0.0 for internet will
also catch everything else internal to the corporate network that I want to
access without going over the VPN

Sure, I could configure a VPN filter to block everything else, but at that
point it is too late it already routed over the tunnel.

On Tue, Sep 6, 2011 at 10:05 AM, Joseph L. Brunner
<joe_at_affirmedsystems.com<mailto:joe_at_affirmedsystems.com>> wrote:
>Anyways, anybody know if it is possible to accomplish this goal of denying
some networks but allowing others?
Once you split tunnel, anything not explicitly tunneled is bypassed at the
client.

You can apply an ACL to either SSLVPN Anyconnect (full tunnel) or ipsec tunnel
client's to LIMIT what they can talk to even within networks they have been
sent via the split acl.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_
example09186a00808c9a87.shtml

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of Joe
Astorino
Sent: Tuesday, September 06, 2011 9:15 AM
To: Sadiq Yakasai
Cc: Timothy Chin; Cisco certification
Subject: Re: OT: ASA Split-Tunnels

Yes, you can configure with extended ACL but only the first part (source) is
taken into account : )

Anyways, anybody know if it is possible to accomplish this goal of denying
some networks but allowing others?

On Tue, Sep 6, 2011 at 9:13 AM, Sadiq Yakasai
<sadiqtanko_at_gmail.com<mailto:sadiqtanko_at_gmail.com>> wrote:

> Right, you are right - my memory must be getting foggy on it. Thanks!
>
>
> On Tue, Sep 6, 2011 at 2:06 PM, Timothy Chin
<tim_at_1csol.com<mailto:tim_at_1csol.com>> wrote:
>
>> I don't think an extended ACL is required for split tunnels. I've
>> configured them using standard ACLs with no problems.
>>
>> Timothy Chin
>> CCIE #23866
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
>> Sadiq Yakasai
>> Sent: Tuesday, September 06, 2011 9:02 AM
>> To: Joe Astorino
>> Cc: Cisco certification
>> Subject: Re: OT: ASA Split-Tunnels
>>
>> Hi Joe,
>>
>> First, to split-tunnel, you require an extended ACL.
>>
>> Secondly, can you be abit more informative with the topology please? Are
>> you
>> terminating the SSL on the outside? But the split tunnelled networks sit
>> on
>> the "inside" of the ASA" I havent worked this one out from your post.
>>
>> Below is an example:
>>
>> access-list SPLIT_TUNNEL extended permit ip 132.1.0.0 255.255.0.0 any
>> access-list SPLIT_TUNNEL extended permit ip 150.1.0.0 255.255.0.0 any
>>
>> This would basically funnels these networks through the tunnel.
>> Everything
>> else does NOT go through the tunnel. If you do not specify an ACL, then
>> everything goes through the tunnel. You do not put deny statements in
>> the
>> ACL (to exclude networks via the tunnel).
>>
>> Thanks,
>> Sadiq
>>
>>
>>
>> On Tue, Sep 6, 2011 at 1:47 PM, Joe Astorino
>> <joeastorino1982_at_gmail.com<mailto:joeastorino1982_at_gmail.com>>wrote:
>>
>> > Hey guys! I think the answer to this question is "no" based on the
>> > research
>> > I've done, but being that I am not an ASA expert (yet), I thought I
>> would
>> > ask if anybody knows a solution to this problem.
>> >
>> > The problem: I have an SSL VPN connection set up at home. When I am
>> VPN in
>> > I actually want internet tunneled through the ASA. I want to tunnel
>> > traffic
>> > to the LAN 10.1.0.0/16<http://10.1.0.0/16> as well as all internet access
through the ASA
>> > while
>> > at the same time NOT tunneling traffic to other internal IP addresses.
>> So
>> > logically, it would be something like
>> >
>> > access-list 1 standard permit 10.1.0.0 255.255.0.0
>> > access-list 1 standard deny 10.0.0.0 255.0.0.0
>> > access-list 1 standard deny 172.16.0.0 255.240.0.0
>> > access-list 1 standard deny 192.168.0.0 255.255.0.0
>> > access-list 1 standard permit any
>> >
>> > I don't think deny is a valid option in the ACL though. Any way to
>> > accomplish that?
>> >
>> > --
>> > Regards,
>> >
>> > Joe Astorino
>> > CCIE #24347
>> > Blog: http://astorinonetworks.com
>> >
>> > "He not busy being born is busy dying" - Dylan
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> >
>> _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> CCIEx2 (R&S|Sec) #19963
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>

--
Regards,
Joe Astorino
CCIE #24347
Blog: http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net