30-45
Cisco Security Appliance Command Line Configuration Guide
OL-12172-03
Chapter 30 Configuring Connection Profiles, Group Policies, and Users
Group Policies
Setting the Split-Tunneling Policy
Set the rules for tunneling traffic by specifying the split-tunneling policy:
hostname(config-group-policy)#
split-tunnel-policy
{
tunnelall
|
tunnelspecified
|
excludespecified
}
hostname(config-group-policy)#
no split-tunnel-policy
The default is to tunnel all traffic. To set a split tunneling policy, enter the
split-tunnel-policy
command
in group-policy configuration mode. To remove the
split-tunnel-policy
attribute from the running
configuration, enter the
no
form of this command. This enables inheritance of a value for split tunneling
from another group policy.
The
excludespecified
keyword defines a list of networks to which traffic goes in the clear. This feature
is useful for remote users who want to access devices on their local network, such as printers, while they
are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN
client.
The
tunnelall
keyword specifies that no traffic goes in the clear or to any other destination than the
security appliance. This, in effect, disables split tunneling. Remote users reach Internet networks
through the corporate network and do not have access to local networks. This is the default option.
The
tunnelspecified
keyword tunnels all traffic from or to the specified networks. This option enables
split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels
in the clear and is routed by the remote user’s Internet service provider.
Note
Split tunneling is primarily a traffic management feature, not a security feature. For optimum security,
we recommend that you do not enable split tunneling.
The following example shows how to set a split tunneling policy of tunneling only specified networks
for the group policy named FirstGroup:
hostname(config)#
group-policy FirstGroup attributes
hostname(config-group-policy)#
split-tunnel-policy tunnelspecified
Creating a Network List for Split-Tunneling
Create a network list for split tunneling using the
split-tunnel-network-list
command in group-policy
configuration mode.
hostname(config-group-policy)#
split-tunnel-network-list
{
value
access-list_name
|
none
}
hostname(config-group-policy)#
no split-tunnel-network-list value
[
access-list_name
]
Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from
those that do not require tunneling. The security appliance makes split tunneling decisions on the basis
of a network list, which is an ACL that consists of a list of addresses on the private network. Only
standard-type ACLs are allowed.
The
value
access-list name
parameter identifies an access list that enumerates the networks to tunnel or
not tunnel.
The
none
keyword indicates that there is no network list for split tunneling; the security appliance
tunnels all traffic. Specifying the
none
keyword sets a split tunneling network list with a null value,
thereby disallowing split tunneling. It also prevents inheriting a default split tunneling network list from
a default or specified group policy.
Summary of Contents for 500 Series
Page 38: ...Contents xxxviii Cisco Security Appliance Command Line Configuration Guide OL 12172 03 ...
Page 45: ...P A R T 1 Getting Started and General Information ...
Page 46: ......
Page 277: ...P A R T 2 Configuring the Firewall ...
Page 278: ......
Page 561: ...P A R T 3 Configuring VPN ...
Page 562: ......
Page 891: ...P A R T 4 System Administration ...
Page 892: ......
Page 975: ...P A R T 5 Reference ...
Page 976: ......