[c-nsp] VPN - restricted split tunnel? (newbie alert)

Ricardo Stella stella at rider.edu
Thu Feb 28 09:55:26 EST 2013


I would have thought this was a common request, however cannot seem to
find any particular examples.

 

Currently we have an older ASA 5520, with code level 8.0.3.   What we
would like to have is Anyconnect VPN users to have access to certain
'external' networks, such as their local lan or certain IP addresses,
while connected to our network.

 

So far, the only thing we are able to do is to:

 

* Tunnel all traffic - no split tunnel.  When client connects, they can
only access our internal network

* Tunnel traffic by a list of networks - split tunnel.  When client
connects, they can only access the listed IPs of our internal network,
but any other external traffic

* Deny Tunnel traffic by a list of networks - split tunnel.  When client
connnects, they can access all internal network except the listed IPs,
but any other external traffic

 

I guess the definition of what we want to do is:

 

* Tunnel all traffic except the list of external IP - restricted split
tunnel.  When Client connects they can access all of our internal
network (or listed IPs) but also certain external networks/IPs (their
local area network, or a list of IPs/networks defined).

 

Any ideas?  Thanks in advance...

- See more at:
https://supportforums.cisco.com/thread/2202131?tstart=0#sthash.1iTuuXBw.dpuf
I would have thought this was a common request, however cannot seem to
find any particular examples.

Currently we have an older ASA 5520, with code level 8.0.3.   What we
would like to have is Anyconnect VPN users to have access to certain
'external' networks, such as their local lan or certain IP addresses,
while connected to our network.

So far, the only thing we are able to do is to:

* Tunnel all traffic - no split tunnel.  When client connects, they can
only access our internal network
* Tunnel traffic by a list of networks - split tunnel.  When client
connects, they can only access the listed IPs of our internal network,
but any other external traffic
* Deny Tunnel traffic by a list of networks - split tunnel.  When client
connnects, they can access all internal network except the listed IPs,
but any other external traffic

I guess the definition of what we want to do is:

* Tunnel all traffic except the list of external IP - restricted split
tunnel.  When Client connects they can access all of our internal
network (or listed IPs) but also certain external networks/IPs (their
local area network, or a list of IPs/networks defined).

Any ideas?  Thanks in advance...

-- 
°((( = (( ===°°° ((( ================================================



More information about the cisco-nsp mailing list