You are hereNetworking / ASA 5505 Split tunneling based on remote IP address

ASA 5505 Split tunneling based on remote IP address

By maho - Posted on 13 January 2009

From what I have found the ASA 5505 has no good way to set up split tunneling for a specific client connection if you don't want to allow the user to have split tunneling every where, cisco keeps telling me that the ASA 5505 is able to do everything that the old Cisco VPN Concentrator 3000 could do but clearly that is not the case :)
There is however a workaround for this that I have found quite useful, the secret is to have the use connect with a certificate that will not match any group or policy this will make the ASA to move along down the policy matching list and at the end of that list try to match the remote peer IP address agains group names. The configuration below requires you to use ASDM 6.x but 5.x is quite similar but you might need to improvise.

Client certificate

  1. Create a certificate with OU split-tunneling
  2. Set up a new VPN connection using that certificate

 

ASA Configuration

 

Certificate mapping policy

This only needs to be set one time

/Remote Access VPN/Network (Client) Access/Advanced/IPsec/Certificate to Connection Profile
Make sure that "Use the peer IP address to determine the group" is checked

 

Split tunneling group policy

This only needs to be set up one time

/Remote Access VPN/Network (Client) Access/Group Policies
Click Add
Name:Split-tunneling
Click More Options
Tunneling Protocols:IPsec

Advanced/Split Tunneling
Policy:Tunnel Network List Below
Network List:[Network List containing all internal network that we want to tunnel]
Click OK
 

 

Split tunneling Group

At this point we need to get the IP address from the client

/Remote Access VPN/Network (Client) Access/IPsec Connection Profiles
Click Add
Name:[Clients IP address]
Identity Certificate:Select the ASA's identity certificate
Server Group:Select the authentication group that this user belongs to
Client Address Pools:Select the client address pool(s) to use with this connection
Group PolicySelect the "split-tunneling" policy
Click Ok
 

After completing these steps your user should now be able to enjoy split tunneling until his IP address changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.