Wireless Access

Hello

I want to apply a route ACL to a user role to split tunnel traffic matching an appliation like office365 but the first match is always the ALC statement for the network any any. The question is how can I apply a route ACL to match an application before passing the ACL statement base on the Layer 3 ( source/destination network ) ?

 

Here is the configuration:

 

ip access-list route no-split-tunnel
user any any route ipsec-map default-vpnip-local-ipsecmap
user any app salesforce forward app-position 2
user any app okta route ipsec-map default-vpnip-local-ipsecmap app-position 1
user any app speedtest forward app-position 5
user any app office365 forward app-position 3
user any app box-net forward app-position 4
!

 

Thanks

I don't believe that apprf rules can be applied to a split-tunneled SSID, because Apprf rules need to be evaluated on the controller, which would require a tunneled SSID.  A split-tunneled SSID's firewall traffic is evaluated on the AP itself (usually a Remote ap).

Thank you For the quick answer. Actually I plan to implement this route ACL on my Branch controllers.
Im able to add on top of the ACL a rule using svc-http and svc-https to no-split this traffic and leave the rest locally and being NATted at the Branch but what I want to achieve is only allow my corporate cloud base applications doing split tunnel at the remote locations and all the rest back to my VPNC/Corporate.
Is there a way to do this ?
Thanks
Antonio

If they are cloud applications, most likely they cannot be identified by subnet.  Are there any other characterisitics that would enable you to define those cloud applications?

Box, office365, Service-now, Salesforce