ASA 5505 VPN - Split Tunneling

Hello All,

I am having an issue with my ASA 5505 that I hope will be an easy fix for the experts here. To begin with the VPN configured on the ASA is working beautifully. The problem is with split tunneling. If I connect with a Windows 7 machine, no problem. I am able to connect to the Exchange Server, File Servers, etc. on the remote network, AND browse the Internet on the local network. However, when I connect to the VPN with Windows XP machines, I am unable to browse locally while connected to the VPN (but I do have access to machines on the remote network). Has anyone else experienced this?
See running config below:

ASA Version 7.2(4)
hostname ciscoasa
domain-name corp.local
enable password 6ixjCp2UhkTENv27 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address 96.x.x.x 255.255.248
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
 domain-name corp.local
same-security-traffic permit intra-interface
access-list ChexarVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNpool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
route outside 96.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
http inside
http outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside

group-policy ChexarVPN internal
group-policy ChexarVPN attributes
 banner value Chexar Networks, Inc.
 banner value Corporate Use Only
 dns-server value
 vpn-access-hours none
 vpn-simultaneous-logins 5
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 password-storage disable
 ip-comp enable
 group-lock value ChexarVPN
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ChexarVPN_splitTunnelAcl
 default-domain value corp.local
 msie-proxy method auto-detect
 address-pools value VPNpool
 client-firewall none
username darryl password D7pbkoI.yXMCzM.6 encrypted privilege 0
username darryl attributes
 vpn-group-policy ChexarVPN
 vpn-tunnel-protocol IPSec l2tp-ipsec
 group-lock value ChexarVPN
username bjcrapps password DBfXHHrJl4o.xxXr encrypted privilege 0
username bjcrapps attributes
 vpn-group-policy ChexarVPN
 vpn-tunnel-protocol IPSec l2tp-ipsec
 group-lock value ChexarVPN
tunnel-group ChexarVPN type ipsec-ra
tunnel-group ChexarVPN general-attributes
 address-pool VPNpool
 default-group-policy ChexarVPN
tunnel-group ChexarVPN ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jody LemoineNetwork ArchitectCommented:
It looks like the problem is with your split tunnel ACL:

access-list ChexarVPN_splitTunnelAcl standard permit any

This ACL tells the VPN client to direct *all* traffic over the VPN tunnel.  I'm not sure why the behaviour would be different between Windows XP and Windows 7, but I would try changing the ACL to something like the following to see if that fixes things up:

no access-list ChexarVPN_splitTunnelAcl standard permit any
access-list ChexarVPN_splitTunnelAcl standard permit

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ROMAD77Author Commented:
That was it! I modified the default ACL created during the wizard as you suggested and all is well. I'm still confused as to how/why the Win7 box was working, but oh well....

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.