ASA 5505 Split-Tunneling Setup Help

I checked the database of questions on EEx and nothing has worked for me when it comes to Split-Tunneling.

I want to use my internet at home while connected to the VPN as my work's BW is horrible.

ciscoasa(config)# show run
: Saved
:
ASA Version 8.2(4)
!
hostname ciscoasa
enable password 01CutRdzkZafqWMy encrypted
passwd 01CutRdzkZafqWMy encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.x.x.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0        
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.10.10-10.10.10.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.x.x.65 1
route inside 10.10.10.0 255.255.255.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 65.x.x.0 255.255.255.192 outside
ssh 65.x.x.2 255.255.255.255 outside
ssh 173.x.x.77 255.255.255.255 outside
ssh 98.x.x.210 255.255.255.255 outside
ssh 69.x.x.214 255.255.255.255 outside
ssh 98.x.x.30 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username Mike password encrypted
username Jonathan password encrypted
username Steve password encrypted
username Lawrence password encrypted
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD         CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f1a4e7f5dddd158f2c834070bbdccbf9
: end
agruber85Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
agruber85Author Commented:
Does my split tunnel group policy have to match anything in my current setup or is it separate? I don't remember setting up any group policy.
0
Ernie BeekExpertCommented:
There should always be a default group policy (which you don't have to set up) so you can add it to that one.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

agruber85Author Commented:
It will not take this line...

ciscoasa(config)# group-policy default-group-policy attributes
0
Ernie BeekExpertCommented:
try: group-policy DfltGrpPolicy attributes

The name of the default policy is: DfltGrpPolicy
0
decoleurCommented:
here is a complete command set that should work from erniebeek's web reference:

#

    ciscoasa#configure terminal
    ciscoasa(config)#

#

Create the access list that defines the network behind the ASA.

    ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA.
    ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.10.10.0 255.255.255.0

#

Enter Group Policy configuration mode for the policy that you wish to modify.

    ciscoasa(config)#group-policy vtcgrouppolicy attributes
    ciscoasa(config-group-policy)#

#

Specify the split tunnel policy. In this case the policy is tunnelspecified.

    ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified

#

Specify the split tunnel access list. In this case, the list is Split_Tunnel_List.

    ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List

#

Issue this command:

    ciscoasa(config)#tunnel-group vtctunnelgroup general-attributes

#

Associate the group policy with the tunnel group

    ciscoasa(config-tunnel-ipsec)# default-group-policy vtcgrouppolicy

#

Exit the two configuration modes.

    ciscoasa(config-group-policy)#exit
    ciscoasa(config)#exit
    ciscoasa#

#

Save the configuration to non-volatile RAM (NVRAM) and press Enter when prompted to specify the source filename.

    ciscoasa#copy running-config startup-config
0
Ernie BeekExpertCommented:
Glad you figured it out and thx for the points :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.