cancel
Showing results for 
Search instead for 
Did you mean: 

Split tunneling question

Highlighted
Contributor

Re: Split tunneling question

Thanks! I'll give that a shot. By "Exclude Access" do you mean "deny Access"? (I only have Allow, Deny, Detailed) Also, it changes my 255.255.255.255 to 10.175.0.100:* is that correct? Thanks sk
Highlighted
Frequent Contributor

Re: Split tunneling question

Hi Sk, Yes, deny access and 255.255.255.255 get removed as you mention. ..its fine.

 

 

Highlighted
Super Contributor

Re: Split tunneling question

Make sure you are in the "Network Connect split tunneling policies" and not "Network Connect access policies".  The potential actions should be "Allow access" and "Exclude access". 

 

The "255.255.255.255" mask will be stripped off, since it is a host route, but you should not see the colon and asterisk after the address. 

 

Ken

Highlighted
Contributor

Re: Split tunneling question

Thanks ken, I sure was on the wrong page.

 

I did have an ACCESS policy of icmp://*:* tcp://*:* and udp://*:* and while testing today I found that this was effectively enabling at least some sort of split tunneling even though split tunneling was disabled.

 

Is that by design? I thought the access policy was strictly the allowed access on the tunneled routes?

Highlighted
Frequent Contributor

Re: Split tunneling question

hi sk,

 

     What is the SA version you're using? In Sa 7.x versions split tunnel policy get effect when split tunnel enabled on the role.

 

Thanks,

Highlighted
Contributor

Re: Split tunneling question

7.2 R4 split tunneling is disabled in the role

Highlighted
Frequent Contributor

Re: Split tunneling question

Ok... if that is the case then, User > Resource policies > VPN tunneling > Split tunneling networks > policy will not be used. You need to enable split tunnel on the role.

 

thanks,

Highlighted
Contributor

Re: Split tunneling question

Without creating the split tunneling policy, and with split tunneling disabled, my remote user with an ip address of 10.36.20.97 can still ping and print to 10.36.24.28. Aren't all local resources supposed to be blocked when split tunneling is disabled? Thanks
Highlighted
Frequent Contributor

Re: Split tunneling question

Hi Sk,

 

  This needs to be analyzed, please contact jtac.

 

Thanks,

Frequent Contributor

Re: Split tunneling question

I'm running into an issue with Split Tunneling as well.  We have Pretty much our entire 10.x.x.x network utilized in various test networks.   We have a product range that users 10.10.10.x and 10.10.20.x that we have worked around. with a very likely overly complicated allow rule.  The problem crops up when a contractor connected to our network and they used the network range 10.60.100.0/24.   I changed our Test Allow rule to Detailed rule.  then denyed that range for the contractor role.  then allowed the networks for all Roles.  This isn't working though.  Can anyone point out where I went wrong?  Also, if I understand this, I can change the Test polcy to use the resources 10.0.0.0/8 and let the detailed rule allow statement to handle the mishmash of 10.x.x.x networks that should come accross the tunnel.

 

SA4500 v7.2 r3

 

The role is set to use Junos Pulse

Split tunneling is allowed.

Route Precidence is set to Tunnel Route

 

Split Tunnel Resource Policy

 

1. Expand/collapse Test
Detailed Rules (Edit)
1. Deny 10.60.100.0/24 
If: role = 'contractor'
2. Allow 10.0.0.0/13, 10.8.0.0/16, 10.9.0.0/16, 10.10.0.0/21, 10.10.12.0/23, 10.10.14.0/23, 10.10.16.0/23, 10.10.18.0/23, 10.10.8.0/23, 10.10.11.0/24, 10.10.21.0/24, 10.10.22.0/23, 10.10.24.0/22, 10.10.32.0/19, 10.10.64.0/18, 10.10.128.0/18, 10.10.192.0/18, 10.11.0.0/16, 10.12.0.0/14, 10.16.0.0/12, 10.10.28.0/22, 10.32.0.0/11, 10.64.0.0/10, 10.128.0.0/9 
(Details) 10.0.0.0/13
10.8.0.0/16
10.9.0.0/16
10.10.0.0/21
10.10.12.0/23
10.10.14.0/23
10.10.16.0/23
10.10.18.0/23
10.10.8.0/23
10.10.11.0/24
10.10.21.0/24
10.10.22.0/23
10.10.24.0/22
10.10.32.0/19
10.10.64.0/18
10.10.128.0/18
10.10.192.0/18
10.11.0.0/16
10.12.0.0/14
10.16.0.0/12
10.10.28.0/22
10.32.0.0/11
10.64.0.0/10
10.128.0.0/9
All roles