Antonio,
I think you have guessed it right, i.e. VPN-Filter under group-policy. I usually put something like following in the vpn-filter acl. access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 gt 1023 192.168.x.x 255.255.0.0 eq XYZ. where 10.x.x.x is ssl vpn subnet and 192.168.x.x is on the core network/dmz/lan and XY is any service. the key about vpn-filter ACL is that..... remote addresses (i.e. SSL VPN address in your case) would always act as a source, even though there would be a chance that inside/core user would access any service on the remote address. For example, if you want to enable remote desktop functionatility from your core to the ssl users then the vpn-filter acl would like the following in addition to regular OUTBOUND ACL on the inside interface. access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 eq 3389 192.168.x.x 255.255.0.0 gt 1023 see page 9 of the following link. http://www.cisco.com/image/gif/paws/99103/pix-asa-vpn-filter.pdf FNK. On Mon, Sep 26, 2011 at 8:13 AM, Antonio Soares <[email protected]> wrote: > It seems we need the vpn-filter defined. We have split-tunneling but we > don’t have the vpn-filter. I will update this topic after the tests we will > be performing today.**** > > ** ** > > Regards,**** > > ** ** > > Antonio Soares, CCIE #18473 (R&S/SP) > [email protected]**** > > http://www.ccie18473.net**** > > ** ** > > ** ** > > *From:* Piotr Matusiak [mailto:[email protected]] > *Sent:* sexta-feira, 23 de Setembro de 2011 16:47 > > *To:* Antonio Soares > *Cc:* CCIE Security Maillist > *Subject:* Re: [OSL | CCIE_Security] SSL VPN and RRI**** > > ** ** > > Does you customer use Split Tunneling 'include' or 'exclude' policy? Are > there ST routes in Route Detail Tab of AC Statistics window? > > Finally, can you paste sanitized config? > > Regards, > Piotr > > > **** > > 2011/9/23 Antonio Soares <[email protected]>**** > > Hello Piotr,**** > > **** > > Yes, basically it doesn’t work as expected. The end user adds static routes > (Windows route add) and is able to access these networks. The ASA version is > a little old (8.2.1), do you think this could be a bug ?**** > > **** > > Thanks.**** > > **** > > Regards,**** > > **** > > Antonio Soares, CCIE #18473 (R&S/SP) > [email protected]**** > > http://www.ccie18473.net**** > > **** > > **** > > *From:* Piotr Matusiak [mailto:[email protected]] > *Sent:* sexta-feira, 23 de Setembro de 2011 15:38 > *To:* Antonio Soares > *Cc:* CCIE Security Maillist > *Subject:* Re: [OSL | CCIE_Security] SSL VPN and RRI**** > > **** > > Hi Antonio, > > It seems like Split tunneling does not work. Am I understand it correctly? > > Regards, > Piotr**** > > 2011/9/23 Antonio Soares <[email protected]>**** > > Hello group, > > Need help on this one. A customer has SSL VPN configured with RRI. Customer > is saying that it works fine but if the end user add statically more routes > to the client machine, the client machine has access to the additional > routes. This should not be happening. The ASA is running 8.2.1. > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > [email protected] > http://www.ccie18473.net > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > **** > > ** ** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
