Re: Split tunneling question - Page 2

sk_ · ‎08-29-2012

Thanks! I'll give that a shot. By "Exclude Access" do you mean "deny Access"? (I only have Allow, Deny, Detailed) Also, it changes my 255.255.255.255 to 10.175.0.100:* is that correct? Thanks sk

SHKM_ · ‎08-29-2012

Hi Sk, Yes, deny access and 255.255.255.255 get removed as you mention. ..its fine.

kenlars_ · ‎08-30-2012

Make sure you are in the "Network Connect split tunneling policies" and not "Network Connect access policies". The potential actions should be "Allow access" and "Exclude access".

The "255.255.255.255" mask will be stripped off, since it is a host route, but you should not see the colon and asterisk after the address.

Ken

sk_ · ‎08-30-2012

Thanks ken, I sure was on the wrong page.

I did have an ACCESS policy of icmp://*:* tcp://*:* and udp://*:* and while testing today I found that this was effectively enabling at least some sort of split tunneling even though split tunneling was disabled.

Is that by design? I thought the access policy was strictly the allowed access on the tunneled routes?

SHKM_ · ‎08-30-2012

hi sk,

What is the SA version you're using? In Sa 7.x versions split tunnel policy get effect when split tunnel enabled on the role.

Thanks,

sk_ · ‎08-31-2012

7.2 R4 split tunneling is disabled in the role

SHKM_ · ‎08-31-2012

Ok... if that is the case then, User > Resource policies > VPN tunneling > Split tunneling networks > policy will not be used. You need to enable split tunnel on the role.

thanks,

sk_ · ‎08-31-2012

Without creating the split tunneling policy, and with split tunneling disabled, my remote user with an ip address of 10.36.20.97 can still ping and print to 10.36.24.28. Aren't all local resources supposed to be blocked when split tunneling is disabled? Thanks

SHKM_ · ‎08-31-2012

Hi Sk,

This needs to be analyzed, please contact jtac.

Thanks,

mattspierce_ · ‎08-31-2012

I'm running into an issue with Split Tunneling as well. We have Pretty much our entire 10.x.x.x network utilized in various test networks. We have a product range that users 10.10.10.x and 10.10.20.x that we have worked around. with a very likely overly complicated allow rule. The problem crops up when a contractor connected to our network and they used the network range 10.60.100.0/24. I changed our Test Allow rule to Detailed rule. then denyed that range for the contractor role. then allowed the networks for all Roles. This isn't working though. Can anyone point out where I went wrong? Also, if I understand this, I can change the Test polcy to use the resources 10.0.0.0/8 and let the detailed rule allow statement to handle the mishmash of 10.x.x.x networks that should come accross the tunnel.

SA4500 v7.2 r3

The role is set to use Junos Pulse

Split tunneling is allowed.

Route Precidence is set to Tunnel Route

Split Tunnel Resource Policy

1.

Test

Detailed Rules (Edit)
1.	Deny 10.60.100.0/24 If: role = 'contractor'
2.	Allow 10.0.0.0/13, 10.8.0.0/16, 10.9.0.0/16, 10.10.0.0/21, 10.10.12.0/23, 10.10.14.0/23, 10.10.16.0/23, 10.10.18.0/23, 10.10.8.0/23, 10.10.11.0/24, 10.10.21.0/24, 10.10.22.0/23, 10.10.24.0/22, 10.10.32.0/19, 10.10.64.0/18, 10.10.128.0/18, 10.10.192.0/18, 10.11.0.0/16, 10.12.0.0/14, 10.16.0.0/12, 10.10.28.0/22, 10.32.0.0/11, 10.64.0.0/10, 10.128.0.0/9

(Details)

10.0.0.0/13
10.8.0.0/16
10.9.0.0/16
10.10.0.0/21
10.10.12.0/23
10.10.14.0/23
10.10.16.0/23
10.10.18.0/23
10.10.8.0/23
10.10.11.0/24
10.10.21.0/24
10.10.22.0/23
10.10.24.0/22
10.10.32.0/19
10.10.64.0/18
10.10.128.0/18
10.10.192.0/18
10.11.0.0/16
10.12.0.0/14
10.16.0.0/12
10.10.28.0/22
10.32.0.0/11
10.64.0.0/10
10.128.0.0/9

All roles