Re: OT: ASA Split-Tunnels from Joe Astorino on 2011-09-06 (Ccielab archives 09/2011)

From: Joe Astorino <joeastorino1982_at_gmail.com>
Date: Tue, 6 Sep 2011 12:36:07 -0400

Just a matter of convenience. Sure, I could tunnel traffic ONLY to
10.1.0.0/16 and then do something neat like SSH tunneling for internet
access but that is just kind of a pain because I have to open an SSH
session, reconfigure my browser for a SOCKS5 proxy, etc every time.

Sounds like it would be more trouble than it is worth if it is even
possible. Thanks for the feedback everybody!

On Tue, Sep 6, 2011 at 10:50 AM, Steve Means <smeans_at_ccbootcamp.com> wrote:

> Are you set on doing it this way because the work FW/proxy/whatever only
> allows an exclusion for SSL to your home address? If not (SSL is open)
> then just tunnel the home network traffic and use a different method to
> bypass proxy/web filtering, I use an ironkey for instance that has its
> own TOR network.
>
> Or if this is just an exercise, carry on. ;)
>
> Steve Means
> CCSP/CCNP
> CCSI# 32951
> Instructor / Consultant
> Email: smeans_at_ccbootcamp.com
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-0357
> Training And Remote Racks: http://www.ccbootcamp.com
>
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Joe Astorino
> Sent: Tuesday, September 06, 2011 7:02 AM
> To: Brad Edgeworth
> Cc: Ryan West; Sadiq Yakasai; Timothy Chin; Cisco certification
> Subject: Re: OT: ASA Split-Tunnels
>
> I suppose if I really wanted to I could get nasty with the ACL like
> this...basically excluding everything except the entire 10.0.0.0/8 minus
> my
> 10.1.0.0/16. I wanted to avoid that though is possible.
>
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard remark 10.0.0.0 -
> 10.31.255.255 ...
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.0.0.0
> 255.255.0.0
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.2.0.0
> 255.255.0.0
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.3.0.0
> 255.255.0.0
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.4.0.0
> 255.255.0.0
> ...
> ...
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.31.0.0
> 255.255.0.0
>
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard remark 10.32.0.0 -
> 10.127.255.255
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.32.0.0
> 255.224.0.0
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.64.0.0
> 255.224.0.0
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.96.0.0
> 255.224.0.0
>
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard remark 10.128.0.0 -
> 10.255.255.255
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.128.0.0
> 255.128.0.0
>
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard remark other RFC1918
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 172.16.0.0
> 255.240.0.0
> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 192.168.0.0
> 255.255.0.0
>
>
> On Tue, Sep 6, 2011 at 9:54 AM, Joe Astorino
> <joeastorino1982_at_gmail.com>wrote:
>
> > Thanks Brad. I fear I still have a problem though, because my home
> network
> > is 10.1.0.0/16 but the corporate network uses address space in all
> three
> > of the RFC1918 allocations. So, if I used an exclusion like you have
> done I
> > would have to find a way to exclude 10.0.0.0/8, 172.16.0.0/12, and
> > 192.168.0.0/16 but not exclude 10.1.0.0/16 at the same time and THAT
> is
> > my problem here.
> >
> > Too bad ASA ACLs don't use wildcard masks or I could get creative
> there....
> >
> >
> >
> >
> >
> > On Tue, Sep 6, 2011 at 9:49 AM, Brad Edgeworth <edgie512_at_gmail.com>
> wrote:
> >
> >> Joe, that is correct... I used to do the same thing to allow me to
> keep
> >> a VPN connection up to my home network (while at work) and still
> access work
> >> resources (& bypass corporate Internet proxies...) :-)
> >>
> >> Here is a snippet of relevant config on my Home ASA.
> >>
> >>
> >> group-policy GP_SVC_SPLIT_EXCEPT attributes
> >> banner value This is SPLIT-TUNNELLED-EXCEPT.
> >> split-tunnel-policy excludespecified
> >> split-tunnel-network-list value ANYCONNECT_SPLITTUNNEL_EXCEPT
> >>
> >> access-list ANYCONNECT_SPLITTUNNEL_EXCEPT standard permit 10.0.0.0
> >> 255.0.0.0
> >>
> >>
> >>
> >> My corporate space was 10.0.0.0/8 & my home space was 192.168.0.0/16
> >>
> >> -Brad
> >>
> >>
> >> On Tue, Sep 6, 2011 at 8:32 AM, Joe Astorino
> <joeastorino1982_at_gmail.com>wrote:
> >>
> >>
> >>> Thanks for the feedback. I'm not sure I'm following you though.
> Let's
> >>> make
> >>> sure we are on the same page
> >>>
> >>> The network I want to access behind the ASA is 10.1.0.0/16. I also
> want
> >>> to
> >>> tunnel through the ASA for internet access. The corporate network I
> am
> >>> accessing the VPN from is the rest of the RFC1918 space. I want to
> be
> >>> able
> >>> to remain connected to corporate resources while at the same time
> tunnel
> >>> traffic to 10.1.0.0/16 and the internet.
> >>>
> >>> When you say "interesting traffic ACL" do you mean the ACL used for
> the
> >>> split tunnel? This is remote access VPN so I'm not sure I follow.
> >>> Secondly, if I used a VPN filter, wouldn't that just block the
> traffic
> >>> after
> >>> it was already tunneled to the ASA?
> >>>
> >>> On Tue, Sep 6, 2011 at 9:24 AM, Ryan West <rwest_at_zyedge.com>
> wrote:
> >>>
> >>> > I've done interesting traffic acls like this. You could us a
> vpn-filter
> >>> to
> >>> > block the traffic.
> >>> >
> >>> > Sent from handheld
> >>> >
> >>> > On Sep 6, 2011, at 8:17 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
> >>> wrote:
> >>> >
> >>> > > Right, you are right - my memory must be getting foggy on it.
> Thanks!
> >>> > >
> >>> > > On Tue, Sep 6, 2011 at 2:06 PM, Timothy Chin <tim_at_1csol.com>
> wrote:
> >>> > >
> >>> > >> I don't think an extended ACL is required for split tunnels.
> I've
> >>> > >> configured them using standard ACLs with no problems.
> >>> > >>
> >>> > >> Timothy Chin
> >>> > >> CCIE #23866
> >>> > >>
> >>> > >> -----Original Message-----
> >>> > >> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
> >>> Behalf Of
> >>> > >> Sadiq Yakasai
> >>> > >> Sent: Tuesday, September 06, 2011 9:02 AM
> >>> > >> To: Joe Astorino
> >>> > >> Cc: Cisco certification
> >>> > >> Subject: Re: OT: ASA Split-Tunnels
> >>> > >>
> >>> > >> Hi Joe,
> >>> > >>
> >>> > >> First, to split-tunnel, you require an extended ACL.
> >>> > >>
> >>> > >> Secondly, can you be abit more informative with the topology
> please?
> >>> Are
> >>> > >> you
> >>> > >> terminating the SSL on the outside? But the split tunnelled
> networks
> >>> sit
> >>> > >> on
> >>> > >> the "inside" of the ASA" I havent worked this one out from your
> >>> post.
> >>> > >>
> >>> > >> Below is an example:
> >>> > >>
> >>> > >> access-list SPLIT_TUNNEL extended permit ip 132.1.0.0
> 255.255.0.0
> >>> any
> >>> > >> access-list SPLIT_TUNNEL extended permit ip 150.1.0.0
> 255.255.0.0
> >>> any
> >>> > >>
> >>> > >> This would basically funnels these networks through the tunnel.
> >>> > >> Everything
> >>> > >> else does NOT go through the tunnel. If you do not specify an
> ACL,
> >>> then
> >>> > >> everything goes through the tunnel. You do not put deny
> statements
> >>> in
> >>> > >> the
> >>> > >> ACL (to exclude networks via the tunnel).
> >>> > >>
> >>> > >> Thanks,
> >>> > >> Sadiq
> >>> > >>
> >>> > >>
> >>> > >>
> >>> > >> On Tue, Sep 6, 2011 at 1:47 PM, Joe Astorino
> >>> > >> <joeastorino1982_at_gmail.com>wrote:
> >>> > >>
> >>> > >>> Hey guys! I think the answer to this question is "no" based
> on the
> >>> > >>> research
> >>> > >>> I've done, but being that I am not an ASA expert (yet), I
> thought I
> >>> > >> would
> >>> > >>> ask if anybody knows a solution to this problem.
> >>> > >>>
> >>> > >>> The problem: I have an SSL VPN connection set up at home.
> When I
> >>> am
> >>> > >> VPN in
> >>> > >>> I actually want internet tunneled through the ASA. I want to
> >>> tunnel
> >>> > >>> traffic
> >>> > >>> to the LAN 10.1.0.0/16 as well as all internet access through
> the
> >>> ASA
> >>> > >>> while
> >>> > >>> at the same time NOT tunneling traffic to other internal IP
> >>> addresses.
> >>> > >> So
> >>> > >>> logically, it would be something like
> >>> > >>>
> >>> > >>> access-list 1 standard permit 10.1.0.0 255.255.0.0
> >>> > >>> access-list 1 standard deny 10.0.0.0 255.0.0.0
> >>> > >>> access-list 1 standard deny 172.16.0.0 255.240.0.0
> >>> > >>> access-list 1 standard deny 192.168.0.0 255.255.0.0
> >>> > >>> access-list 1 standard permit any
> >>> > >>>
> >>> > >>> I don't think deny is a valid option in the ACL though. Any
> way to
> >>> > >>> accomplish that?
> >>> > >>>
> >>> > >>> --
> >>> > >>> Regards,
> >>> > >>>
> >>> > >>> Joe Astorino
> >>> > >>> CCIE #24347
> >>> > >>> Blog: http://astorinonetworks.com
> >>> > >>>
> >>> > >>> "He not busy being born is busy dying" - Dylan
> >>> > >>>
> >>> > >>>
> >>> > >>> Blogs and organic groups at http://www.ccie.net
> >>> > >>>
> >>> > >>>
> >>> > >>
> >>>
> _______________________________________________________________________
> >>> > >>> Subscription information may be found at:
> >>> > >>> http://www.groupstudy.com/list/CCIELab.html
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>>
> >>> > >>
> >>> > >>
> >>> > >> --
> >>> > >> CCIEx2 (R&S|Sec) #19963
> >>> > >>
> >>> > >>
> >>> > >> Blogs and organic groups at http://www.ccie.net
> >>> > >>
> >>> > >>
> >>>
> _______________________________________________________________________
> >>> > >> Subscription information may be found at:
> >>> > >> http://www.groupstudy.com/list/CCIELab.html
> >>> > >>
> >>> > >>
> >>> > >>
> >>> > >>
> >>> > >>
> >>> > >>
> >>> > >>
> >>> > >>
> >>> > >
> >>> > >
> >>> > > --
> >>> > > CCIEx2 (R&S|Sec) #19963
> >>> > >
> >>> > >
> >>> > > Blogs and organic groups at http://www.ccie.net
> >>> > >
> >>> > >
> >>>
> _______________________________________________________________________
> >>> > > Subscription information may be found at:
> >>> > > http://www.groupstudy.com/list/CCIELab.html
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> >
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>> Regards,
> >>>
> >>> Joe Astorino
> >>> CCIE #24347
> >>> Blog: http://astorinonetworks.com
> >>>
> >>> "He not busy being born is busy dying" - Dylan
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>>
> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >
> >
> >
> > --
> > Regards,
> >
> > Joe Astorino
> > CCIE #24347
> > Blog: http://astorinonetworks.com
> >
> > "He not busy being born is busy dying" - Dylan
> >
> >
>
>
> --
> Regards,
>
> Joe Astorino
> CCIE #24347
> Blog: http://astorinonetworks.com
>
> "He not busy being born is busy dying" - Dylan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Regards,
Joe Astorino
CCIE #24347
Blog: http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net

Received on Tue Sep 06 2011 - 12:36:07 ART

This archive was generated by hypermail 2.2.0 : Sat Oct 01 2011 - 07:26:25 ART