Configuring split tunneling, Configuring device pass-through – Cisco ASA 5505 User Manual

Page 1566

Advertising
background image

71-8

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 71 Configuring Easy VPN Services on the ASA 5505

Configuring Split Tunneling

hostname(config)# no vpnclient trustpoint

hostname(config)#

Configuring Split Tunneling

Split tunneling lets a remote-access IPsec client conditionally direct packets over an IPsec tunnel in
encrypted form or to a network interface in clear text form.

The Easy VPN server pushes the split tunneling attributes from the group policy to the Easy VPN Client
for use only in the work zone. See

Configuring Split-Tunneling Attributes, page 67-49

to configure split

tunneling on the Cisco ASA 5505.

Enter the following command in global configuration mode to enable the automatic initiation of IPsec
tunnels when NEM and split tunneling are configured:

[no] vpnclient nem-st-autoconnect

no removes the command from the running configuration.

For example:

hostname(config)# vpnclient nem-st-autoconnect

hostname(config)#

Configuring Device Pass-Through

Devices such as Cisco IP phones, wireless access points, and printers are incapable of performing
authentication. Enter the following command in global configuration mode to exempt such devices from
authentication, thereby providing network access to them, if individual user authentication is enabled:

[no] vpnclient mac-exempt mac_addr_1 mac_mask_1 [mac_addr_2 mac_mask_2...mac_addr_n

mac_mask_n]

no removes the command from the running configuration.

mac_addr is the MAC address, in dotted hexadecimal notation, of the device to bypass individual
user authentication.

mac_mask is the network mask for the corresponding MAC address. A MAC mask of ffff.ff00.0000
matches all devices made by the same manufacturer. A MAC mask of ffff.ffff.ffff matches a single
device.

Note

The mac-exempt list cannot exceed 15.

Only the first six characters of the specific MAC address are required if you use the MAC mask
ffff.ff00.0000 to specify all devices by the same manufacturer. For example, Cisco IP phones have the
Manufacturer ID 00036b, so the following command exempts any Cisco IP phone, including Cisco IP
phones, you might add in the future:

hostname(config)# vpnclient mac-exempt 0003.6b00.0000 ffff.ff00.0000

hostname(config)#

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals