Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
185
Views
0
Helpful
3
Replies

What is the difference between Split Tunnel and VPN Filter on ASA?

JustTakeTheFirstStep
Level 4
Level 4

‎04-28-2024 03:12 AM

SPLITTUNNEL.pngVPNFILTER.png

VPN Filter and Split tunnel are two ways to specify the network bands that use the tunnel.

As I understand it
IPSEC VPN uses VPN Filter
SSL VPNs use Split Tunnel
Am I correct in my understanding?

What is the difference between the two?

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎04-28-2024 03:20 AM

@JustTakeTheFirstStep split tunnelling is used to define which networks to tunnel back to the headend firewall (ASA or FTD) or breakout locally from the client side (exclude from tunnelling to the firewall).

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

The VPN filter is used to further restrict (allow/deny) the traffic once it's routed back to the Firewall. https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

VPN Filter and Split tunnel can be used with either SSL or IPSec VPNs.

0 Helpful

MHM Cisco World
VIP
VIP

‎04-28-2024 03:31 AM

1- Split tunnel work for only RA VPN

2- VPN filter use for both IPSec and RA VPN 

3-A

Split tunnel use to make RA VPN have route to specific subnet behind ASA 

3-B

VPN filter use in RA VPN to make RA VPN user can connect to specfic host/server 

What above meaning 

You use split tunnel 10.0.0.0/24

This meaning RA VPN can connect to only subnet 10.0.0.0/24 behind ASA

With VPN filter we can make RA vPN user connect to only host 10.0.0.10 tcp port 80/443

That difference 

MHM

0 Helpful

Marius Gunnerud
VIP
VIP

‎04-28-2024 06:46 AM

Just to add to what has already been mentioned.

Split-tunnel is used to define what traffic is to be routed over Remote Access VPN.  VPN filter are access rules for traffic routed over VPN.

So now we can take that one step further.  Why use VPN filter instead of just disabling interface ACL bypass for VPN?  The issue with having VPN check the interface ACL is that you would need to create interface access rules for all VPNs (site to site and remote access VPNs).  VPN filter will allow you to create access rules on a per tunnel basis giving you more control over a VPN solution that is already in production.

Personally I prefer to use the interface access rules for VPN traffic, but during a migration phase I would use VPN filter to get the access lists right for each VPN before moving that configuration to the regular interface ACL and then disable interface ACL bypass function.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents