Preventing the use of split tunneling by users with ASA 5505

We have put in place a new Cisco ASA 5505 for use by outside consultants, some who require Internet access via an outside wireless network we had installed for vendor use.

Some of these consultants also require VPN (via PPTP) access into our internal network.

It has come to our attention that some of the consultants that require VPN access are possibly modifying the routing tables on their notebooks to allow themselves to split tunnel their VPN connection while connected to our internal network.

 Is there a way to enforce the policy of not allowing split tunneling while connected to our ASA. The users connecting to our VPN through the ASA 5505 will be forced to utilize a known static IP address in order to be allowed access to the VPN, as there is no way to reserve IP addresses in the ASA's version of DHCP, so we do have a bit of a start here?

We realize enforcing policies would be the best thing, but policies alone are not considered enough to those who audit us.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:
I advise to use SSL or IPSEC vpn, not PPTP, becouse the clients able to set split tunneling locally
fluceAuthor Commented:
Even though they are behind the ASA-5505 and we have them using a known IP address. Could we not force all traffic from that known IP address they are using (which is static mapped) to forward all traffic to the VPN concentrator we are using (an old Cisco 3015) to prevent that?
Markus BraunCEOCommented:
As i understand it, the Users connect through the ASA to another VPN device via a VPN Client software. If that is so, the split tunneling is configured on the client and on the other VPN device. So, you cant really stop them doing it because local traffic will not go through the ASA - local stays local - no gateway is necessary. You can however put the ports where ever they are plugged in- into a different vlan (configure that on the switch side) thus preventing them from going anywhere else but through the ASA , since by default, vlan's cant interact unless you configure intervlan routing.

Would that be an option?
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

fluceAuthor Commented:
I believe there is a bit of confusion here. Let me see as my problem description may be faulty. I do agree that using IPSec would be an ideal answer but the 3015 concentrator was not set up to deal with IPSec

All users connect to the Internet by first connecting to the WAP and then are assigned a DHCP address. Those addresses are able to pass through the ASA to the Internet. But they can not pass through the ASA and use PPTP. The ASA by default requires you make some changes in order to allow traffic to allow VPN traffic out of the ASA to another point on the 'Net.

So those that would be utilizing a VPN would be receiving statically mapped IP address, otherwise the necessary GRE ports would not be open to them via an ACL. This means that only one person can utilize a VPN to the same IP address endpoint. That we are fine with.

The documentation on the 5505 leads me to believe you should be able to force all traffic from those utiilizing the VPN behind the ASA to whereever they are connected (VPN wise). However there are no examples of such as Cisco would rather you utilize their clients for security purposes.

So in short we are trying to get out from behind an ASA out to allow PPTP traffic however we want to ensure that split tunneling does not occur if they are statically mapped.
Markus BraunCEOCommented:
the DHCP address that are assigned to the clients - are they from the local LAN???
If so, LOCAL traffic does NOT go throught the ASA, thus you can not use ACLs for that.
If these clients use PPTP you can NOT use the ASA to stop split tunneling anywhere but on the client side - the Cisco VPN Client does that on default settings.
For pptp traffic to traverse the firewall you nee to enable the fixup pptp protocol besides the necessary ACLs of course
and for IPSEC traffic to go through the ASA you need ACLs to allow udp 500, udp 4500 and ESP
but again, unless you use a real VPN Client and not pptp - you can not stop them from accessing your local LAN
If you want them to stop accessing you LAN period, they need to go through a seperate interface where you can assign ACLs  - but that needs to be a different network of course and there may be DHCP issues unless you AP is on that network too.


if the client PC has a LAN address assigned - local traffic is always possible and cannot be controlled by the Firewall
if you use a vpn client (not pptp) you can configure that client to not allow LAN and VPN traffic at the same time (if you would have another PIX or ASA on the other end, you could use the Cisco client and per default the other ASA would not allow the VPN Client to use Split Tunneling)

if you use pptp - local LAN is always possible
Hello there,

I don't know how are you doing your ipsec tunnel, but by default if you don't specify any policy in the group-policy associated to the tunnel group for remote access.

But if you what to "force" you could use:

group-policy your-policy internal

group-policy your-policy attibutes
split-tunnel-policy tunnelall

And sorry for what i'm going to say but, when you're not using split tunnel ALL the traffic Local LAN inclusive, is tunneled, no local lan traffic is allowed...!

Give a try, and good luck!
Hello there, (Sorry, i lost the idea while i was writing)

I don't know how are you doing your ipsec tunnel, but by default if you don't specify any split tunnel policy in the group-policy associated to the tunnel group for remote access, no split tunnel is used by default

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.