Split Tunneling on Cisco ASA VPN Behind Sonic Wall

Posted on 2014-10-22
Last Modified: 2014-11-11
Hello all,
     I will be helping a friend tomorrow try to figure something out and wanted to see who could help out. Basically, they have a function Cisco ASA VPN behind a sonic wall Firewall. The Cisco was left in place because there were 3-5 users who still use it regularly and because they need it for their VoIP licensing. I am not sure how the two are connected at this point (port forwarding or proxy arp or what). But here are some basic questions we need some advice on:
1) Is there anything inherently insecure about enabling Split-Tunneling in this situation? Why or Why not?
2) Can Split Tunneling be setup on a per user basis, or can it only be enabled for everyone who uses the VPN?
3) How does one configure Split Tunneling using the CLI?
4) And Finally, is there any reason, besides licensing costs, that we shouldn't just stop using the ASA for VPN and switch to just using the Sonic Wall?

Question by:JesusFreak42
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 29

Accepted Solution

Alan Huseyin Kayahan earned 500 total points
ID: 40398292
1)Your existing setup does not make split-tunnel more insecure than a split-tunneling in a traditional setup. In a traditional setup, split-tunneling is safe and widely used.
2)You can not setup split-tunnel per user however you can setup a split-tunnel per tunnel-group. You can create multiple tunnel-groups and associate users with tunnel groups.
A better option would be to implement DACL per user group where you need to integrate ASA with a TACACS or applicable RADIUS server.
3) Following is a step-by-step guide written by Pete Long. in the ACL is the network that you want the VPN clients to be able to access. You can add multiple entries into this ACL to provide connectivity to multiple networks inside.
4)No other reasons. Look for performance stats for both models, see which one can utilize more packets per second, compare what is the goodput through the device when all services are enabled, if the unit has the types of interfaces you need etc. and make your decision on either ASA or Swall.
LVL 57

Expert Comment

by:Pete Long
ID: 40398999
^^ Thanks for the link Alan

Some experts will disagree about the security of split tunneling - local internet connection is disabled for a reason, an infected remote client with malware on it that's VPN'd in without NAC for example now can connect to the internet unfiltered and connect to your coprporate network.

For that reason I prefer 'forced tunnelling' use the search on the above site I've written about that as well

LVL 57

Expert Comment

by:Pete Long
ID: 40399063
Heres the link (I was concentrating more on getting a coffee earlier sorry!)

Cisco ASA - Remote VPN Client Internet Access
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40399065
You are welcome Pete! Great article! (I am MrHusy, been long time! :) )

You know it is enough for a client to be on the unfiltered Internet just for some period in order to get infected so you should basically eliminate the chances of evading the VPN client. Unfortunately Cisco is not good at VPN Client softwares (much better with Anyconnect but still...), features like forced reconnect and auto connect on startup are easily alterable. Built-in VPN clients in OSes gives the option of unchecking using default gateway.

I have worked in a project where 600+ payment IBM kiosks were connected via VPN client. That was one of the times where we needed the security of full tunnelling and I had to go to the extremes of user restrictions,scripting, programming and GPOs (you know how cumbersome to maintain GPOs on RA VPN clients) in order to prevent the user evade the VPN client and reach unfiltered Internet.

So the full tunneling is secure if it is properly forced. A properly forced tunnel renders the client computer a restricted dummy platform.
LVL 57

Expert Comment

by:Pete Long
ID: 40399081

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Licensing for Wi Fi 4 53
Configure IP on Sonicwall 2 28
Why isn't my network passing a certain vlan. 24 48
Problems with VPN 4 28
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question