Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1241
Views
5
Helpful
5
Replies

FTD Remote Access VPN: Is it possible to apply split tunnel acl based on request ip?

Don Maker
Level 1
Level 1

‎02-07-2019 07:05 AM - edited ‎02-21-2020 09:33 PM

Hi, I have remote access setup for faculty, staff and students using FMC/FTD,FXOS and I am curious if there is a better way to accomplish an objective. For example, we have a server support team (SAS) that want to tunnel traffic to certain subnets when on campus, but not when off campus. We have a public /16, so many of our systems are on public ranges. The problem is that some things while on campus require vpn, and some do not. But when off campus, all would require vpn tunneling. So for off campus access I have one connection profile with a group policy and a split tunnel acl that basically just does all 172.16.0.0 and all of our public /16   When on campus, I have a more specific connection profile with a group policy that has a more specific split tunnel acl. 

 

Is this the best/only way to do this? Is there a way to have a split tunnel assigned based on the requester ip? Basically, if request comes from 172.16.0.0 or 129.97.0.0 then apply the on campus acl, anything else apply the off campus acl? I can't really see a way to avoid the two connection profile/two group policy approach since you can only have one split tunnel acl per group policy and only one group policy per connection profile. 

 

Unless I'm missing something?

Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-07-2019 07:13 PM

The only way to avoid separate connection profiles and associated group policies would be to have something external like ISE dynamically change the authorization (CoA) - i.e. switch the session to a separate connection profile automatically based on the user's contextual information post-initial login.

 

It would still use separate connection profiles but you would not have to publish them in the dropdown list and would not have to require users to choose among them.

0 Helpful

Don Maker
Level 1
Level 1
In response to Marvin Rhoads

‎02-08-2019 05:26 AM

Thank you for the reply. We do not have ISE, unfortunately. We do have FreeRADIUS. But the hope was to avoid two connection profiles for each of these situations. It sounds like we would still have needed that anyway. 

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎02-08-2019 01:50 AM

If you use external radius such as ISE then you can use dacls to be applied
based on user ad membership. Students will be in student group in AD and
get dacl while faculty member will be in faculty group and get different
dacl.
0 Helpful

Don Maker
Level 1
Level 1
In response to Mohammed al Baqari

‎02-08-2019 05:27 AM

Thanks for the input. The challenge was not so much to separate students from faculty, but to have a different split tunnel acl based on source ip address. 

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Don Maker

‎02-08-2019 05:09 PM

I read that but the source ip will be dynamic. I would rather use something
more robust such as group membership. You can still use radius AV to match
different source IPs and assign different dscls using same technique
Customers Also Viewed These Support Documents