Solved

Split Tunnel not working Cisco ASA

Posted on 2008-06-25
1
2,014 Views
Last Modified: 2012-08-14
Hi,  

I just installed and configured a new Cisco ASA 5510.  I have enabled a Remote VPN config and users can connect just fine.  For some reason when VPN'ed in users cannot access the internet.  I have split tunneling enabled on the group policy but its still not working.  

Attached Cleaned config.

Thank You,
Mitchell
GPF-ASA-01# sh run

: Saved

:

ASA Version 7.2(3)16

!

hostname GPF-ASA-01

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address X.X.78.19 255.255.255.240

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 10.0.0.1 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

ftp mode passive

dns server-group DefaultDNS

 domain-name gallagherusa.com

dns server-group Public

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in remark temporary access to download VPN Client

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in remark Allows Email from off site SPAM filter

access-list outside_access_in extended permit tcp X.X.45.224 255.255.255.224 interface outside eq smtp

access-list outside_access_in remark Allows Email from off site SPAM filter

access-list outside_access_in extended permit tcp host X.X.211.73 interfaceoutside eq smtp

access-list outside_access_in remark Allows Email from off site SPAM filter

access-list outside_access_in extended permit tcp host X.X.216.115 interface outside eq smtp

access-list outside_access_in remark Access mail site.

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in remark Access mail site

access-list outside_access_in extended permit tcp any interface outside eq https

access-list G*******08!_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.0

access-list outside_in extended permit tcp any host X.X.78.19 eq ftp

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool VPN_IP_Pool 172.16.0.1-172.16.0.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list nonat

nat (inside) 101 10.0.0.0 255.255.255.0

static (inside,outside) tcp interface ftp 10.0.0.5 ftp netmask 255.255.255.255

static (inside,outside) tcp interface https 10.0.0.5 https netmask 255.255.255.255

static (inside,outside) tcp interface smtp 10.0.0.5 smtp netmask 255.255.255.255

static (inside,outside) tcp interface www 10.0.0.5 www netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.79.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server DomainController protocol radius

aaa-server DomainController (inside) host 10.0.0.5

 timeout 5

 key R********!

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh X.X.133.48 255.255.255.240 outside

ssh timeout 5

ssh version 2

console timeout 5

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

group-policy DfltGrpPolicy attributes

 banner none

 wins-server value 10.0.0.5 10.0.0.10

 dns-server value 10.0.0.5 10.0.0.10

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs disable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list value G*********08!_splitTunnelAcl

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not

 been met or due to some specific group policy, you do not have permission to us

e any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy GP********08! internal

group-policy G*********08! attributes

 dns-server value 10.0.0.5

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelall

 split-tunnel-network-list value G********8!_splitTunnelAcl

 address-pools value VPN_IP_Pool

tunnel-group G**********8! type ipsec-ra

tunnel-group G**********8! general-attributes

 address-pool VPN_IP_Pool

 authentication-server-group DomainController

 default-group-policy G**********8!

tunnel-group G**********8! ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Open in new window

0
Comment
Question by:RSMTECH_KC
1 Comment
 
LVL 1

Accepted Solution

by:
RSMTECH_KC earned 0 total points
ID: 21870271
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now