[c-nsp] VPN - restricted split tunnel? (newbie alert)

Garrett Skjelstad garrett at skjelstad.org
Thu Feb 28 10:57:56 EST 2013


Don't forget ACLs have permits and denies, and work in an ordered list...

Permit (tunnel) the ones you want, deny (split) the ones you don't.

External or internal IPs doesn't matter, an ACE is an ACE.

-Garrett

Sent from my iPhone 5

On Feb 28, 2013, at 6:55, Ricardo Stella <stella at rider.edu> wrote:

> 
> I would have thought this was a common request, however cannot seem to
> find any particular examples.
> 
> 
> 
> Currently we have an older ASA 5520, with code level 8.0.3.   What we
> would like to have is Anyconnect VPN users to have access to certain
> 'external' networks, such as their local lan or certain IP addresses,
> while connected to our network.
> 
> 
> 
> So far, the only thing we are able to do is to:
> 
> 
> 
> * Tunnel all traffic - no split tunnel.  When client connects, they can
> only access our internal network
> 
> * Tunnel traffic by a list of networks - split tunnel.  When client
> connects, they can only access the listed IPs of our internal network,
> but any other external traffic
> 
> * Deny Tunnel traffic by a list of networks - split tunnel.  When client
> connnects, they can access all internal network except the listed IPs,
> but any other external traffic
> 
> 
> 
> I guess the definition of what we want to do is:
> 
> 
> 
> * Tunnel all traffic except the list of external IP - restricted split
> tunnel.  When Client connects they can access all of our internal
> network (or listed IPs) but also certain external networks/IPs (their
> local area network, or a list of IPs/networks defined).
> 
> 
> 
> Any ideas?  Thanks in advance...
> 
> - See more at:
> https://supportforums.cisco.com/thread/2202131?tstart=0#sthash.1iTuuXBw.dpuf
> I would have thought this was a common request, however cannot seem to
> find any particular examples.
> 
> Currently we have an older ASA 5520, with code level 8.0.3.   What we
> would like to have is Anyconnect VPN users to have access to certain
> 'external' networks, such as their local lan or certain IP addresses,
> while connected to our network.
> 
> So far, the only thing we are able to do is to:
> 
> * Tunnel all traffic - no split tunnel.  When client connects, they can
> only access our internal network
> * Tunnel traffic by a list of networks - split tunnel.  When client
> connects, they can only access the listed IPs of our internal network,
> but any other external traffic
> * Deny Tunnel traffic by a list of networks - split tunnel.  When client
> connnects, they can access all internal network except the listed IPs,
> but any other external traffic
> 
> I guess the definition of what we want to do is:
> 
> * Tunnel all traffic except the list of external IP - restricted split
> tunnel.  When Client connects they can access all of our internal
> network (or listed IPs) but also certain external networks/IPs (their
> local area network, or a list of IPs/networks defined).
> 
> Any ideas?  Thanks in advance...
> 
> -- 
> °((( = (( ===°°° ((( ================================================
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list