Very nice explanation. Thanks.
Best Regards. ______________________ Adil On Sep 26, 2011, at 9:21 PM, Fawad Khan wrote: > Antonio, > > > I think you have guessed it right, i.e. VPN-Filter under group-policy. I > usually put something like following in the vpn-filter acl. > > access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 gt > 1023 192.168.x.x 255.255.0.0 eq XYZ. > > where 10.x.x.x is ssl vpn subnet and 192.168.x.x is on the core > network/dmz/lan and XY is any service. > > the key about vpn-filter ACL is that..... remote addresses (i.e. SSL VPN > address in your case) would always act as a source, even though there would > be a chance that inside/core user would access any service on the remote > address. For example, if you want to enable remote desktop functionatility > from your core to the ssl users then the vpn-filter acl would like the > following in addition to regular OUTBOUND ACL on the inside interface. > > access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 eq > 3389 192.168.x.x 255.255.0.0 gt 1023 > > see page 9 of the following link. > http://www.cisco.com/image/gif/paws/99103/pix-asa-vpn-filter.pdf > > > > > FNK. > > On Mon, Sep 26, 2011 at 8:13 AM, Antonio Soares <[email protected]> wrote: > It seems we need the vpn-filter defined. We have split-tunneling but we don’t > have the vpn-filter. I will update this topic after the tests we will be > performing today. > > > > Regards, > > > > Antonio Soares, CCIE #18473 (R&S/SP) > [email protected] > > http://www.ccie18473.net > > > > > > From: Piotr Matusiak [mailto:[email protected]] > Sent: sexta-feira, 23 de Setembro de 2011 16:47 > > > To: Antonio Soares > Cc: CCIE Security Maillist > Subject: Re: [OSL | CCIE_Security] SSL VPN and RRI > > > > > Does you customer use Split Tunneling 'include' or 'exclude' policy? Are > there ST routes in Route Detail Tab of AC Statistics window? > > Finally, can you paste sanitized config? > > Regards, > Piotr > > > > 2011/9/23 Antonio Soares <[email protected]> > > Hello Piotr, > > > > Yes, basically it doesn’t work as expected. The end user adds static routes > (Windows route add) and is able to access these networks. The ASA version is > a little old (8.2.1), do you think this could be a bug ? > > > > Thanks. > > > > Regards, > > > > Antonio Soares, CCIE #18473 (R&S/SP) > [email protected] > > http://www.ccie18473.net > > > > > > From: Piotr Matusiak [mailto:[email protected]] > Sent: sexta-feira, 23 de Setembro de 2011 15:38 > To: Antonio Soares > Cc: CCIE Security Maillist > Subject: Re: [OSL | CCIE_Security] SSL VPN and RRI > > > > Hi Antonio, > > It seems like Split tunneling does not work. Am I understand it correctly? > > Regards, > Piotr > > 2011/9/23 Antonio Soares <[email protected]> > > Hello group, > > Need help on this one. A customer has SSL VPN configured with RRI. Customer > is saying that it works fine but if the end user add statically more routes > to the client machine, the client machine has access to the additional > routes. This should not be happening. The ASA is running 8.2.1. > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > [email protected] > http://www.ccie18473.net > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
