Solved

ASA 5505 Split-Tunneling Setup Help

Posted on 2011-03-15
7
603 Views
Last Modified: 2012-06-21
I checked the database of questions on EEx and nothing has worked for me when it comes to Split-Tunneling.

I want to use my internet at home while connected to the VPN as my work's BW is horrible.

ciscoasa(config)# show run
: Saved
:
ASA Version 8.2(4)
!
hostname ciscoasa
enable password 01CutRdzkZafqWMy encrypted
passwd 01CutRdzkZafqWMy encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.x.x.66 255.255.255.192
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0        
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool 10.10.10.10-10.10.10.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.x.x.65 1
route inside 10.10.10.0 255.255.255.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 65.x.x.0 255.255.255.192 outside
ssh 65.x.x.2 255.255.255.255 outside
ssh 173.x.x.77 255.255.255.255 outside
ssh 98.x.x.210 255.255.255.255 outside
ssh 69.x.x.214 255.255.255.255 outside
ssh 98.x.x.30 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username Mike password encrypted
username Jonathan password encrypted
username Steve password encrypted
username Lawrence password encrypted
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD         CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f1a4e7f5dddd158f2c834070bbdccbf9
: end
0
Comment
Question by:agruber85
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35137615
0
 

Author Comment

by:agruber85
ID: 35137925
Does my split tunnel group policy have to match anything in my current setup or is it separate? I don't remember setting up any group policy.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35137946
There should always be a default group policy (which you don't have to set up) so you can add it to that one.
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:agruber85
ID: 35138147
It will not take this line...

ciscoasa(config)# group-policy default-group-policy attributes
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 35138371
try: group-policy DfltGrpPolicy attributes

The name of the default policy is: DfltGrpPolicy
0
 
LVL 18

Expert Comment

by:decoleur
ID: 35138568
here is a complete command set that should work from erniebeek's web reference:

#

    ciscoasa#configure terminal
    ciscoasa(config)#

#

Create the access list that defines the network behind the ASA.

    ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA.
    ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.10.10.0 255.255.255.0

#

Enter Group Policy configuration mode for the policy that you wish to modify.

    ciscoasa(config)#group-policy vtcgrouppolicy attributes
    ciscoasa(config-group-policy)#

#

Specify the split tunnel policy. In this case the policy is tunnelspecified.

    ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified

#

Specify the split tunnel access list. In this case, the list is Split_Tunnel_List.

    ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List

#

Issue this command:

    ciscoasa(config)#tunnel-group vtctunnelgroup general-attributes

#

Associate the group policy with the tunnel group

    ciscoasa(config-tunnel-ipsec)# default-group-policy vtcgrouppolicy

#

Exit the two configuration modes.

    ciscoasa(config-group-policy)#exit
    ciscoasa(config)#exit
    ciscoasa#

#

Save the configuration to non-volatile RAM (NVRAM) and press Enter when prompted to specify the source filename.

    ciscoasa#copy running-config startup-config
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35138715
Glad you figured it out and thx for the points :)
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question