Solved

How to disable split tunneling on l2l vpn connection - Cisco asa5500

Posted on 2007-11-29
23
3,252 Views
Last Modified: 2010-04-21
Hello!
I need to figure out how to disable split tunnelling on a l2l VPN tunnel to my ASA5510.  I have the asa at the main office and a linksys vpn endpoint at a remote office.  I have a tunnel established between the two devices.  I want to route all traffic from the linksys remote office to the asa5510 - including Internet traffic.  How can I set this up on the ASA?  I have done this before on a PIX, but with a pptp vpn client, not a tunnel.  Do I need to change anything on the linksys as well?  Below is my asa config - any help would be appreciated!

: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name test.com
enable password
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xx.xx.xx.yy 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd
ftp mode passive
dns server-group DefaultDNS
 domain-name test.com
access-list VPN_ACL extended permit ip 172.16.0.0 255.255.252.0 192.168.100.0 255.255.255.0
access-list NO_NAT extended permit ip 172.16.0.0 255.255.252.0 192.168.100.0 255.255.255.0
access-list NO_NAT extended permit ip any 172.16.10.0 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 172.16.10.10-172.16.10.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list NO_NAT
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 12.32.216.49 1
route inside 172.16.0.0 255.255.252.0 192.168.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server test protocol radius
aaa-server test host 172.16.0.5
 key qweasd
 radius-common-pw qweasd
http server enable
http 172.16.0.0 255.255.252.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set CRY_VPN2 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map VPN_CRYMAP2 10 set transform-set CRY_VPN2
crypto map VPN_CRYMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dyn-map 10 ipsec-isakmp dynamic VPN_CRYMAP2
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy SBSTESTVPN internal
group-policy SBSTESTVPN attributes
 wins-server value 172.16.0.5
 dns-server value 172.16.0.5
 vpn-tunnel-protocol IPSec
 default-domain value sbstest.com
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:1ceccdea668e1324a3c4e8c4bc4a97ba
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

 
0
Comment
Question by:jdavidsbs
  • 12
  • 6
  • 5
23 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 20375810
hi there!
here is a nice link how to disable/enable split tunneling on cisco:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpngrp.html#wpxref36314
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 20375993
I guess my first thought would be to change the acls to be any any instead id'ing any specific subnets.  Then the asa should tunnel everything.  As for the linksys side, it should be the same config because it should only tunnel any traffic coming from to the asa connected network
0
 

Author Comment

by:jdavidsbs
ID: 20376457
taking a look now at the article and the acls.  Thanks!
0
 

Author Comment

by:jdavidsbs
ID: 20376770
Changed acls to:

access-list NO_NAT extended permit ip any 172.16.10.0 255.255.255.128
access-list NO_NAT extended permit ip any any

Not forwarding all traffic from linksys to asa.

from exp:  I have version 8 installed so I looked up the guide on that - in case they made any changes.  I'm not certain what group policy to set the split-tunnel-policy on.  I tried it on the l2l group, but it's not a valid option there.  Can you give me an example of what to add?

Thanks!
0
 

Author Comment

by:jdavidsbs
ID: 20376859
Quick thought, should I even be trying this with a linksys?  do I need something more robust to handle this?  I also need to be able to see the clients at the remote office through the tunnel so I can remote desktop into them.  I can't seem to see anything from the asa side to the linksys side.  I know with a cisco vpn client connection to the asa I can connect to the remote computer, but not using the tunnel.  I can get into the asa network from the linksys, though...

0
 
LVL 21

Expert Comment

by:from_exp
ID: 20377169
group-policy SBSTESTVPN attributes
split-tunnel-policy tunnelall
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 20377339
personally i don't know why you'd be using a group-policy on the L2L vpn.  at least I've only ever used it on tunnel-groups used for RA purposes.

linksys should be fine.  performance would be the only hinderance, not ability (i'm pretty sure anyway)

another thing I didn't check the first look thru...where's your crypto map for the L2L
0
 

Author Comment

by:jdavidsbs
ID: 20381749
Cyclops - I'm using a dynamic setup, but there are some leftovers in there from a static test I did earlier.

crypto dynamic-map VPN_CRYMAP2 10 set transform-set CRY_VPN2
crypto map dyn-map 10 ipsec-isakmp dynamic VPN_CRYMAP2

0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 20381907
oops, i misread your comments and got them mixed around.  The linksys is the one to be told to tunnel everything, not the ASA.  The asa would just have an acl to route the subnet traffic from anywhere back to the linksys.   If the linksys is configured to tunnel everything you should be fine.  However since it's the client, it may not have the ability to choose which traffic can be tunnelled.  In which case I'd be looking at from_exp's suggestion
0
 

Author Comment

by:jdavidsbs
ID: 20382962
from_exp:  I added the split tunnel-policy as you suggested with no luck.  Shouldn't this be added to the l2l group policy?  I think I'm using the default l2l policy for this connection.  When I try to add the split-tunnel-policy there I can't, I can only add general attributes and ipsec attributes.
Right now I'm more than a little confused...

Thanks!
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 20383230
are you sure you're in the general-policy config area and not trying to do tunnel-group
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 20383236
group-policy, not general-policy;  sorry for confusion
0
 

Author Comment

by:jdavidsbs
ID: 20383873
changed the group policy and still no luck.  I set the default route on the linksys to use the router at the asa side to try to force the traffic there, and that didn't work either.  
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20393986
ok, can you paste your configuration one more time with the updates you've made?
0
 

Author Comment

by:jdavidsbs
ID: 20396192
Well, just a warning - i was in messing around a bit over the weekend so I probably messed it up more than i needed to....

Thanks for the help still!

: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name test.com
enable password
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xx.xx.xx.yy 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd
ftp mode passive
dns server-group DefaultDNS
 domain-name test.com
access-list NO_NAT extended permit ip any 172.16.10.0 255.255.255.128
access-list NO_NAT extended permit ip 172.16.0.0 255.255.252.0 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 172.16.10.10-172.16.10.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list NO_NAT
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.zz 1
route inside 172.16.0.0 255.255.252.0 192.168.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server test protocol radius
aaa-server test host 172.16.0.5
 key qweasd
 radius-common-pw qweasd
http server enable
http 172.16.0.0 255.255.252.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set CRY_VPN2 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map VPN_CRYMAP2 10 set transform-set CRY_VPN2
crypto map VPN_CRYMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dyn-map 10 ipsec-isakmp dynamic VPN_CRYMAP2
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy SBSTESTVPN internal
group-policy SBSTESTVPN attributes
 wins-server value 172.16.0.5
 dns-server value 172.16.0.5
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelall
 default-domain value sbstest.com
tunnel-group DefaultL2LGroup general-attributes
 default-group-policy SBSTESTVPN
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx general-attributes
 default-group-policy SBSTESTVPN
tunnel-group xx.xx.xx.xx ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:e89c1469c9274fb25010ffd13c8468c6
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

0
 

Author Comment

by:jdavidsbs
ID: 20396230
settings on Linksys:  
Local Secure Group:

Subnet  
         IP:  192.168.100.0  
         Mask: 255.255.255.0  
       
--------------------------------------------------------------------------------
   
Remote Secure Group:           Subnet
      IP:  172.16.0.0    
         Mask: 255.255.252.0    
       
--------------------------------------------------------------------------------
   
Remote Security Gateway:          IP    
         IP Address:   xx.xx.xx.yy  
       
--------------------------------------------------------------------------------
   
        Encryption:  3DES    
        Authentication:   MD5    
       
--------------------------------------------------------------------------------
   
Key Management           Auto. (IKE)  
         PFS: Enabled    Disabled    
         Pre-shared Key:      
         Key Lifetime:   43200 Sec.    
       
--------------------------------------------------------------------------------
   
Status        Connected      
       
--------------------------------------------------------------------------------
   
             
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20396326
If you want to tunnel all traffic from linksys to cisco, than you need to set remote security group to 0.0.0.0/0 on linksys
0
 

Author Comment

by:jdavidsbs
ID: 20396396
Just tried it again.  I can set the linksys to "any" and when I do this I am unable to connect the tunnel...
0
 

Author Comment

by:jdavidsbs
ID: 20396410
Remote Secure Group:           Any
            (This Gateway accepts request from
any IP address!)
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20397367
no, remote security group means remote networks that should be accesses via encrypted tunnel.
on the other side - cisco you have to say, that local network for tunnel to linksys should be 0.0.0.0/ bu remote - 192.168.100.0
0
 

Author Comment

by:jdavidsbs
ID: 20397667
Now I am really lost.  
In order to have the linksys move all traffic through the tunnel I have to setup the default route for it on the cisco asa?  
Can you provide a code example of what I need to do?  
I thought I might've had an idea what I was doing - but apparently not...
0
 
LVL 21

Accepted Solution

by:
from_exp earned 500 total points
ID: 20401219
0
 

Author Closing Comment

by:jdavidsbs
ID: 31411735
Thanks for pointing me in the right direction.  I did not get the chance to fully implement it however.  I was given an 851 router to setup for a remote office that is offering its own difficulties.  If I need to revisit the linksys setup I now have a better idea of what I need to do.  Thanks!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now