Solved

ASA 5505 Split-Tunneling Setup Help

Posted on 2011-03-15
7
602 Views
Last Modified: 2012-06-21
I checked the database of questions on EEx and nothing has worked for me when it comes to Split-Tunneling.

I want to use my internet at home while connected to the VPN as my work's BW is horrible.

ciscoasa(config)# show run
: Saved
:
ASA Version 8.2(4)
!
hostname ciscoasa
enable password 01CutRdzkZafqWMy encrypted
passwd 01CutRdzkZafqWMy encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.x.x.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0        
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.10.10-10.10.10.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.x.x.65 1
route inside 10.10.10.0 255.255.255.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 65.x.x.0 255.255.255.192 outside
ssh 65.x.x.2 255.255.255.255 outside
ssh 173.x.x.77 255.255.255.255 outside
ssh 98.x.x.210 255.255.255.255 outside
ssh 69.x.x.214 255.255.255.255 outside
ssh 98.x.x.30 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username Mike password encrypted
username Jonathan password encrypted
username Steve password encrypted
username Lawrence password encrypted
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD         CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f1a4e7f5dddd158f2c834070bbdccbf9
: end
0
Comment
Question by:agruber85
  • 4
  • 2
7 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35137615
0
 

Author Comment

by:agruber85
ID: 35137925
Does my split tunnel group policy have to match anything in my current setup or is it separate? I don't remember setting up any group policy.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35137946
There should always be a default group policy (which you don't have to set up) so you can add it to that one.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:agruber85
ID: 35138147
It will not take this line...

ciscoasa(config)# group-policy default-group-policy attributes
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 35138371
try: group-policy DfltGrpPolicy attributes

The name of the default policy is: DfltGrpPolicy
0
 
LVL 18

Expert Comment

by:decoleur
ID: 35138568
here is a complete command set that should work from erniebeek's web reference:

#

    ciscoasa#configure terminal
    ciscoasa(config)#

#

Create the access list that defines the network behind the ASA.

    ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA.
    ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.10.10.0 255.255.255.0

#

Enter Group Policy configuration mode for the policy that you wish to modify.

    ciscoasa(config)#group-policy vtcgrouppolicy attributes
    ciscoasa(config-group-policy)#

#

Specify the split tunnel policy. In this case the policy is tunnelspecified.

    ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified

#

Specify the split tunnel access list. In this case, the list is Split_Tunnel_List.

    ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List

#

Issue this command:

    ciscoasa(config)#tunnel-group vtctunnelgroup general-attributes

#

Associate the group policy with the tunnel group

    ciscoasa(config-tunnel-ipsec)# default-group-policy vtcgrouppolicy

#

Exit the two configuration modes.

    ciscoasa(config-group-policy)#exit
    ciscoasa(config)#exit
    ciscoasa#

#

Save the configuration to non-volatile RAM (NVRAM) and press Enter when prompted to specify the source filename.

    ciscoasa#copy running-config startup-config
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35138715
Glad you figured it out and thx for the points :)
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPv6 question 1 17
OpenVPN Access Server in EC2 Connectivity Issues 1 48
Linksys e2500 wireless router - should I upgrade 6 25
Setting up L2TP/IPsec in RRAS 5 17
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question