Re: OT: ASA Split-Tunnels

Think of the ACL as being what routes will be put into PCs routing table.
Which is why the other tricks won't work.

I've never seen a deny/negative on my windows xp box when i do a 'route
print'.

Build a 3 line ACL, and play around with the group-policy for the
split-tunnel, split-except, & full tunnel & look at the output of your route
print, and you'll realize you cannot do a Deny.

-Brad

On Tue, Sep 6, 2011 at 10:00 AM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:

> That can't be done (or at least I have never seen anyone do one route +
> deny
> some + then default.
>
> The split tunnel acl works off the "permit" option.
>
> But let's see what the group can think of. We simply use the deny acl on
> the
> connecting user's tunnel to prevent individual network or host access,
> while
> "advertising" the subnet to their vpn client via split tunnel acl
>
> From: Joe Astorino [mailto:joeastorino1982_at_gmail.com]
> Sent: Tuesday, September 06, 2011 10:12 AM
> To: Joseph L. Brunner
> Cc: Sadiq Yakasai; Timothy Chin; Cisco certification
> Subject: Re: OT: ASA Split-Tunnels
>
> Thanks Joseph, but I don't want to filter the traffic after it is tunneled
> to
> the ASA, I want to prevent traffic destined to anything except
> 10.1.0.0/16<http://10.1.0.0/16> or the internet from being tunneled in the
> first place. If I filter after the traffic is already tunneled that won't
> help me.
>
> For example, if I want access to 10.1.0.0/16<http://10.1.0.0/16> and the
> internet over the vpn I would need to explicitly tunnel
> 10.1.0.0/16<http://10.1.0.0/16> and 0.0.0.0. The 0.0.0.0 for internet
> will
> also catch everything else internal to the corporate network that I want to
> access without going over the VPN
>
> Sure, I could configure a VPN filter to block everything else, but at that
> point it is too late it already routed over the tunnel.
>
> On Tue, Sep 6, 2011 at 10:05 AM, Joseph L. Brunner
> <joe_at_affirmedsystems.com<mailto:joe_at_affirmedsystems.com>> wrote:
> >Anyways, anybody know if it is possible to accomplish this goal of denying
> some networks but allowing others?
> Once you split tunnel, anything not explicitly tunneled is bypassed at the
> client.
>
> You can apply an ACL to either SSLVPN Anyconnect (full tunnel) or ipsec
> tunnel
> client's to LIMIT what they can talk to even within networks they have been
> sent via the split acl.
>
>
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_
> example09186a00808c9a87.shtml
>
>
>
> -Joe
>
> -----Original Message-----
> From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
> [mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
> Joe
> Astorino
> Sent: Tuesday, September 06, 2011 9:15 AM
> To: Sadiq Yakasai
> Cc: Timothy Chin; Cisco certification
> Subject: Re: OT: ASA Split-Tunnels
>
> Yes, you can configure with extended ACL but only the first part (source)
> is
> taken into account : )
>
> Anyways, anybody know if it is possible to accomplish this goal of denying
> some networks but allowing others?
>
> On Tue, Sep 6, 2011 at 9:13 AM, Sadiq Yakasai
> <sadiqtanko_at_gmail.com<mailto:sadiqtanko_at_gmail.com>> wrote:
>
> > Right, you are right - my memory must be getting foggy on it. Thanks!
> >
> >
> > On Tue, Sep 6, 2011 at 2:06 PM, Timothy Chin
> <tim_at_1csol.com<mailto:tim_at_1csol.com>> wrote:
> >
> >> I don't think an extended ACL is required for split tunnels. I've
> >> configured them using standard ACLs with no problems.
> >>
> >> Timothy Chin
> >> CCIE #23866
> >>
> >> -----Original Message-----
> >> From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
> [mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
> >> Sadiq Yakasai
> >> Sent: Tuesday, September 06, 2011 9:02 AM
> >> To: Joe Astorino
> >> Cc: Cisco certification
> >> Subject: Re: OT: ASA Split-Tunnels
> >>
> >> Hi Joe,
> >>
> >> First, to split-tunnel, you require an extended ACL.
> >>
> >> Secondly, can you be abit more informative with the topology please? Are
> >> you
> >> terminating the SSL on the outside? But the split tunnelled networks sit
> >> on
> >> the "inside" of the ASA" I havent worked this one out from your post.
> >>
> >> Below is an example:
> >>
> >> access-list SPLIT_TUNNEL extended permit ip 132.1.0.0 255.255.0.0 any
> >> access-list SPLIT_TUNNEL extended permit ip 150.1.0.0 255.255.0.0 any
> >>
> >> This would basically funnels these networks through the tunnel.
> >> Everything
> >> else does NOT go through the tunnel. If you do not specify an ACL, then
> >> everything goes through the tunnel. You do not put deny statements in
> >> the
> >> ACL (to exclude networks via the tunnel).
> >>
> >> Thanks,
> >> Sadiq
> >>
> >>
> >>
> >> On Tue, Sep 6, 2011 at 1:47 PM, Joe Astorino
> >> <joeastorino1982_at_gmail.com<mailto:joeastorino1982_at_gmail.com>>wrote:
> >>
> >> > Hey guys! I think the answer to this question is "no" based on the
> >> > research
> >> > I've done, but being that I am not an ASA expert (yet), I thought I
> >> would
> >> > ask if anybody knows a solution to this problem.
> >> >
> >> > The problem: I have an SSL VPN connection set up at home. When I am
> >> VPN in
> >> > I actually want internet tunneled through the ASA. I want to tunnel
> >> > traffic
> >> > to the LAN 10.1.0.0/16<http://10.1.0.0/16> as well as all internet
> access
> through the ASA
> >> > while
> >> > at the same time NOT tunneling traffic to other internal IP addresses.
> >> So
> >> > logically, it would be something like
> >> >
> >> > access-list 1 standard permit 10.1.0.0 255.255.0.0
> >> > access-list 1 standard deny 10.0.0.0 255.0.0.0
> >> > access-list 1 standard deny 172.16.0.0 255.240.0.0
> >> > access-list 1 standard deny 192.168.0.0 255.255.0.0
> >> > access-list 1 standard permit any
> >> >
> >> > I don't think deny is a valid option in the ACL though. Any way to
> >> > accomplish that?
> >> >
> >> > --
> >> > Regards,
> >> >
> >> > Joe Astorino
> >> > CCIE #24347
> >> > Blog: http://astorinonetworks.com
> >> >
> >> > "He not busy being born is busy dying" - Dylan
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> >> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >> --
> >> CCIEx2 (R&S|Sec) #19963
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > CCIEx2 (R&S|Sec) #19963
> >
>
>
>
> --
> Regards,
>
> Joe Astorino
> CCIE #24347
> Blog: http://astorinonetworks.com
>
> "He not busy being born is busy dying" - Dylan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
> --
> Regards,
>
> Joe Astorino
> CCIE #24347
> Blog: http://astorinonetworks.com
>
> "He not busy being born is busy dying" - Dylan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Sep 06 2011 - 10:47:07 ART