Solved

ASA 5505 Split-Tunneling Setup Help

Posted on 2011-03-15
7
604 Views
Last Modified: 2012-06-21
I checked the database of questions on EEx and nothing has worked for me when it comes to Split-Tunneling.

I want to use my internet at home while connected to the VPN as my work's BW is horrible.

ciscoasa(config)# show run
: Saved
:
ASA Version 8.2(4)
!
hostname ciscoasa
enable password 01CutRdzkZafqWMy encrypted
passwd 01CutRdzkZafqWMy encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.x.x.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0        
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.10.10-10.10.10.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.x.x.65 1
route inside 10.10.10.0 255.255.255.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 65.x.x.0 255.255.255.192 outside
ssh 65.x.x.2 255.255.255.255 outside
ssh 173.x.x.77 255.255.255.255 outside
ssh 98.x.x.210 255.255.255.255 outside
ssh 69.x.x.214 255.255.255.255 outside
ssh 98.x.x.30 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username Mike password encrypted
username Jonathan password encrypted
username Steve password encrypted
username Lawrence password encrypted
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD         CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f1a4e7f5dddd158f2c834070bbdccbf9
: end
0
Comment
Question by:agruber85
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35137615
0
 

Author Comment

by:agruber85
ID: 35137925
Does my split tunnel group policy have to match anything in my current setup or is it separate? I don't remember setting up any group policy.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35137946
There should always be a default group policy (which you don't have to set up) so you can add it to that one.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:agruber85
ID: 35138147
It will not take this line...

ciscoasa(config)# group-policy default-group-policy attributes
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 35138371
try: group-policy DfltGrpPolicy attributes

The name of the default policy is: DfltGrpPolicy
0
 
LVL 18

Expert Comment

by:decoleur
ID: 35138568
here is a complete command set that should work from erniebeek's web reference:

#

    ciscoasa#configure terminal
    ciscoasa(config)#

#

Create the access list that defines the network behind the ASA.

    ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA.
    ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.10.10.0 255.255.255.0

#

Enter Group Policy configuration mode for the policy that you wish to modify.

    ciscoasa(config)#group-policy vtcgrouppolicy attributes
    ciscoasa(config-group-policy)#

#

Specify the split tunnel policy. In this case the policy is tunnelspecified.

    ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified

#

Specify the split tunnel access list. In this case, the list is Split_Tunnel_List.

    ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List

#

Issue this command:

    ciscoasa(config)#tunnel-group vtctunnelgroup general-attributes

#

Associate the group policy with the tunnel group

    ciscoasa(config-tunnel-ipsec)# default-group-policy vtcgrouppolicy

#

Exit the two configuration modes.

    ciscoasa(config-group-policy)#exit
    ciscoasa(config)#exit
    ciscoasa#

#

Save the configuration to non-volatile RAM (NVRAM) and press Enter when prompted to specify the source filename.

    ciscoasa#copy running-config startup-config
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35138715
Glad you figured it out and thx for the points :)
0

Featured Post

Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question