Split Tunnel Policy Tunnelspecified



Split tunneling is used when you want to allow remote VPN users to connect directly to Internet resources while using a corporate VPN instead of routing that traffic through the VPN. Obviously, traffic to the internal corporate LAN still goes through the encrypted VPN tunnel, but other traffic goes directly through the public Internet. Group-policy vpnpolicy attributes wins-server value ipaddress1 ipaddress2 dns-server value ipaddress1 ipaddress2 vpn-tunnel-protocol IPSec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value AdminSplit default-domain value youdomain.local split-dns value yourdomain.local yourdomain.com.

There are some issues you really can’t foresee until you happen to be in that situation. Management access to a Cisco ASA through a VPN tunnel is one of them. In this article, I will explain the problem and then discuss various solutions.

CCNA Training – Resources (Intense)

We will use the network diagram below for our lab scenario:

In the diagram above, when a remote VPN client connects (via VPN) to the ASA, it should have access to the LAN behind the ASA. This is standard remote access VPN and can be achieved with the following configuration on the ASA:

Having set up the Cisco VPN client on my system, I can connect to the VPN tunnel as shown below:

I have a router on the LAN with an IP address of 192.168.10.10 and I can check that the remote user can ping that router successfully.

Cool! But what happens if I try to ping the inside interface of the ASA?

The ping is not successful. In fact, you cannot access the ASA on that interface using Telnet, SSH, etc. when connected through a VPN tunnel. To show that normal LAN users behind the ASA can ping that interface, I will test from the router that I have on the LAN.

The question then becomes, “How do you manage an ASA that you have terminated a VPN tunnel to?” There are three ways this can be done=.

Solution 1: Allow SSH on the outside interface

This solution allows remote access to the ASA whether or not a VPN tunnel is terminated. Of course, SSH is the preferred method since it is more secure than Telnet. If you have a static public IP address (does not change), you can allow SSH only from that IP address to the ASA.

Tunnel

Some people may not be comfortable with this method since it increases the chances of their network being compromised.

Split-tunnel-policy Tunnelall

Solution 2: Connect to a LAN device and hop from that device to the ASA

Another way to solve this (which can be quite tedious) is to hop from another device to the ASA. For example, I will configure SSH on my local router, login to the router from the remote user’s machine, and then SSH from there to the ASA. For this to work, we need to allow LAN users (or just the LAN router, whatever works) to SSH to the ASA:

Solution 3: Configure the inside interface for management access

I actually saved the best for the last. According to the Cisco command reference, “To allow management access to an interface other than the one from which you entered the ASA when using VPN, use the management-access command in global configuration mode.

In our case, we can configure management-access inside so that VPN users that connect from the outside can manage the ASA on the inside interface. This means they will be able to use Telnet, SSH, Ping or ASDM to connect to the ASA. Of course, you also need to explicitly configure the remote-access VPN IP address pool to access the ASA on those different management protocols.

Split-tunnel-policy

Note: I was very restrictive with my ACL to make sure I only allowed the IP addresses in the VPN pool, i.e. 192.168.20.10 – 20.

With this configuration, I can now ping and even SSH to the ASA’s inside IP address:

Summary

Cisco Split-tunnel-policy Tunnelall

In this article, we have discussed the problem of not being able to manage a Cisco ASA after terminating a VPN tunnel to it. We looked at various ways to get around this issue, including enabling SSH on the public interface of the ASA, hopping from a device on the LAN after terminating the VPN tunnel, and finally, using the management-access command to allow VPN users to manage the ASA on the inside interface.

Split-tunnel-policy tunnelspecified

I hope you have found this article helpful.

Further reading

  • Cisco ASA Series Command Reference – management-access: http://www.cisco.com/c/en/us/td/docs/security/asa/command-reference/cmdref/m1.html#pgfId-2112283
  • NAT and VPN Management Access: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html#wp1244792

This is an example of a clean Easy VPN (EzVPN) Server configuration with Network Extension Mode (NEM) and Split Tunneling, for Cisco ASA software version 8.4. The Cisco website has some more sample configurations, but they tend to be entire device configurations, rather than just the changes that need applying from a clean or existing device configuration, and they haven’t been updated since the NAT configuration changed in ASA 8.3, which makes no nat configurations incompatible with earlier versions.

Split Tunnel Policy Tunnelspecified Asa

This has been tested on a pair of Cisco ASA devices running software 8.4(2), on the ASA5505 with base licence (part number ASA5505-BUN-K9, available for about £185+VAT new from reputable places).

Ipv6-split-tunnel-policy Tunnelspecified

Sections in bold are ones you will almost certainly need / want to change for your specific configuration.
Sections in italics show that the name has been chosen by myself, and could be changed in your configuration, as long as you’re consistent and change every occurrence of that name.

Split-tunnel-policy Tunnelspecified

In contrast, the client side is much easier