• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1456
  • Last Modified:

Split Tunneling on Cisco ASA 5510

Hi all,

I have a situation, currently i have am trying to get Split tunneling working. I have followed the instructions as per Cisco's guide: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

The remote access profile i am trying to enable split is called " prs_alc ".

What i am trying to achieve is simple, when user connects to prs_alc profile, he / she would still have access to her local LAN network as well as encrypted access to internet.

What else am I missing to make this work?

Thanks in advance!

Config is posted as below:
ASA Version 8.0(2) 
!
hostname helmsdeep
domain-name XX.com.au
enable password drwRxouas5PVXqW/ encrypted
names
!
interface Ethernet0/0
 speed 100
 nameif outside
 security-level 0
 ip address X.X.X.106 255.255.255.248 
!
interface Ethernet0/1
 speed 100
 nameif inside
 security-level 100
 ip address 10.1.2.1 255.255.255.0 
!
interface Ethernet0/2
 speed 100
 nameif DMZ
 security-level 50
 ip address 10.1.1.1 255.255.255.0 
!
interface Ethernet0/3
 description LAN/STATE Failover Interface
 speed 100
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone XXXXX
dns server-group DefaultDNS
 domain-name XX.com.au
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_1
 network-object host 10.1.2.50
 network-object host 10.1.2.60
object-group service Rsync tcp
 description Rsync
 port-object eq 873
access-list acl_out extended permit tcp any host X.X.X.108 eq https 
access-list acl_out extended permit tcp any host X.X.X.107 eq 13013 
access-list acl_out extended permit tcp any host X.X.X.107 eq smtp 
access-list acl_out extended permit tcp any host X.X.X.109 eq 9090 
access-list acl_out extended permit tcp host X.X.X.94 host X.X.X.109 eq ssh 
access-list acl_out extended permit tcp any any eq www 
access-list acl_out extended permit tcp any host X.X.X.217 eq www 
access-list acl_out extended permit tcp host X.X.X.170 host X.X.X.109 eq ssh 
access-list acl_out extended deny icmp any host X.X.X.106 
access-list acl_out extended permit tcp any host X.X.X.217 eq https 
access-list vpnuserin extended permit tcp 10.0.0.0 255.0.0.0 host 10.1.2.50 eq www 
access-list vpn_no_nat extended permit ip host 10.1.1.88 10.0.1.0 255.255.255.0 
access-list vpn_no_nat_inside extended permit ip 10.1.2.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list vpn_no_nat_inside extended permit ip host 10.1.2.50 160.48.12.0 255.255.255.0 
access-list vpn_no_nat_inside extended permit ip host 10.1.2.70 10.0.3.0 255.255.255.248 
access-list vpn_no_nat_inside extended permit ip host 10.1.2.48 10.0.4.0 255.255.255.0 
access-list vpn_no_nat_inside extended permit ip host 10.1.2.50 192.168.1.0 255.255.255.0 
access-list vpn_no_nat_inside extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0 
access-list vpn_no_nat_inside extended permit ip 10.1.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list vpn_no_nat_inside extended permit ip 10.1.2.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list vpn_no_nat_inside extended permit ip 10.1.2.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list vpn_no_nat_inside extended permit ip 192.168.3.0 255.255.255.0 10.1.2.0 255.255.255.0 
access-list vpn_no_nat_inside extended permit ip 10.1.2.0 255.255.255.0 host 192.168.3.0 
access-list vpn_no_nat_inside extended permit ip 10.1.2.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list vpn_no_nat_inside extended permit ip any 10.0.0.64 255.255.255.192 
access-list toPRS extended permit tcp 192.168.1.0 255.255.255.0 host 10.1.2.50 eq www 
access-list toPRS extended permit tcp 192.168.2.0 255.255.255.0 host 10.1.2.50 eq www 
access-list toPRS extended permit tcp 192.168.3.0 255.255.255.0 host 10.1.2.50 eq www 
access-list toPRS extended permit udp 192.168.3.0 255.255.255.0 host 10.1.2.60 eq 445 
access-list toPRS extended permit tcp 192.168.3.0 255.255.255.0 host 10.1.2.60 eq 445 
access-list toPRS extended permit tcp 192.168.3.0 255.255.255.0 host 10.1.2.60 eq netbios-ssn 
access-list toPRS extended permit tcp 192.168.2.0 255.255.255.0 host 10.1.2.52 eq www 
access-list toPRS extended permit tcp 192.168.1.0 255.255.255.0 host 10.1.2.52 eq www 
access-list toPRS extended permit tcp 192.168.2.0 255.255.255.0 host 10.1.2.60 eq netbios-ssn 
access-list toPRS extended permit tcp 192.168.1.0 255.255.255.0 host 10.1.2.60 eq netbios-ssn 
access-list toPRS extended permit tcp 192.168.1.0 255.255.255.0 host 10.1.2.60 eq 445 
access-list toPRS extended permit udp 192.168.1.0 255.255.255.0 host 10.1.2.60 eq 445 
access-list toPRS extended permit tcp 192.168.2.0 255.255.255.0 host 10.1.2.60 eq 445 
access-list toPRS extended permit udp 192.168.2.0 255.255.255.0 host 10.1.2.60 eq 445 
access-list toPRS extended permit tcp 192.168.2.0 255.255.255.0 host 10.1.2.60 eq ssh 
access-list toPRS extended permit object-group DM_INLINE_PROTOCOL_1 host 10.1.2.73 192.168.2.0 255.255.255.0 range 1 65535 
access-list toPRS extended permit tcp 192.168.4.0 255.255.255.0 host 10.1.2.50 eq www 
access-list toPRS extended permit tcp 192.168.4.0 255.255.255.0 host 10.1.2.60 eq netbios-ssn 
access-list toPRS extended permit udp 192.168.4.0 255.255.255.0 host 10.1.2.60 eq 455 
access-list toPRS extended permit tcp 192.168.4.0 255.255.255.0 host 10.1.2.60 eq 445 
access-list toPRS extended permit tcp 192.168.1.0 255.255.255.0 host 10.1.2.60 eq ssh 
access-list toPRS extended permit tcp 192.168.4.0 255.255.255.0 host 10.1.2.51 eq www 
access-list toPRS extended permit tcp 192.168.4.0 255.255.255.0 host 10.1.2.52 eq www 
access-list toPRS extended deny ip any any 
access-list vpnuat extended permit tcp 10.0.4.0 255.255.255.0 host 10.1.2.48 eq www 
access-list vpnuat extended permit tcp 10.0.4.0 255.255.255.0 host 10.1.2.48 eq 9090 
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list DMZ_access_in extended permit ip 10.1.1.0 255.255.255.0 any 
access-list outside_2_cryptomap extended permit ip 10.1.2.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list inside_access_in extended permit ip any any 
access-list outside_3_cryptomap extended permit ip 10.1.2.0 255.255.255.0 host 192.168.3.0 
access-list outside_access_in extended permit ip any any 
access-list outside_4_cryptomap extended permit ip 10.1.2.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list outside_4_cryptomap_1 extended permit ip 10.1.2.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list cap_http extended permit ip host 192.168.4.21 host 10.1.2.50 
access-list cap_http extended permit ip host 10.1.2.50 host 192.168.4.21 
access-list test_splitTunnelAcl standard permit any 
access-list prs_alc_splitTunnelAcl standard permit any 
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging facility 23
logging host inside 10.1.2.70
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool dist_partners 10.0.0.21-10.0.0.50
ip local pool office 10.0.0.2-10.0.0.20
ip local pool demo_pool 10.0.1.1-10.0.1.14
ip local pool techops 10.0.3.1-10.0.3.6
ip local pool retail 10.0.0.100-10.0.0.255
ip local pool uat_pool 10.0.4.1-10.0.4.20
ip local pool p2h_retail 10.0.0.51-10.0.0.69
ip local pool prs_alc 10.0.0.70-10.0.0.99
ip verify reverse-path interface outside
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover replication http
failover link failover Ethernet0/3
failover interface ip failover 10.1.3.1 255.255.255.252 standby 10.1.3.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 10.1.1.101-10.1.1.125
nat (inside) 0 access-list vpn_no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list vpn_no_nat
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp X.X.X.109 9090 10.1.1.28 9090 netmask 255.255.255.255 
static (DMZ,inside) tcp X.X.X.108 https 10.1.1.88 https netmask 255.255.255.255 
static (DMZ,outside) tcp X.X.X.108 https 10.1.1.88 https netmask 255.255.255.255 
static (DMZ,inside) tcp X.X.X.109 9090 10.1.1.28 9090 netmask 255.255.255.255 
static (inside,outside) tcp X.X.X.217 www 10.1.2.40 www netmask 255.255.255.255 
static (outside,inside) tcp X.X.X.217 www 10.1.2.40 www netmask 255.255.255.255 
static (inside,outside) tcp X.X.X.217 https 10.1.2.55 https netmask 255.255.255.255 
static (outside,inside) tcp X.X.X.217 https 10.1.2.55 https netmask 255.255.255.255 
static (outside,DMZ) tcp X.X.X.218 www 10.1.1.28 www netmask 255.255.255.255 
static (DMZ,outside) tcp X.X.X.218 www 10.1.1.28 www netmask 255.255.255.255 
static (inside,outside) tcp X.X.X.107 13013 10.1.2.42 13013 netmask 255.255.255.255 
static (outside,inside) tcp X.X.X.107 13013 10.1.2.42 13013 netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 X.X.X.105 1
route DMZ 10.1.1.0 255.255.255.0 10.1.1.1 1
route outside X.X.X.104 255.255.255.248 203.168.113.106 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS host 10.1.2.48
 timeout 5
 key mang0
aaa-server RADIUS host 10.1.2.70
 key mang0
aaa authentication ssh console LOCAL 
http server enable
http 10.1.2.203 255.255.255.255 inside
http 10.1.2.204 255.255.255.255 inside
http 10.1.2.233 255.255.255.255 inside
http 10.1.2.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set toPRS esp-3des esp-sha-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 toPRS
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer X.X.X.94 
crypto map outside_map 1 set transform-set toPRS
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer X.X.X.170 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs 
crypto map outside_map 3 set peer X.X.X.46 
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap_1
crypto map outside_map 4 set pfs 
crypto map outside_map 4 set peer X.X.X.252 
crypto map outside_map 4 set transform-set toPRS
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 8
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 360
telnet timeout 5
ssh 10.1.2.203 255.255.255.255 inside
ssh 10.1.2.204 255.255.255.255 inside
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ftp 
!
service-policy global_policy global
ntp server 10.1.2.50 source inside prefer
group-policy prs_alc internal
group-policy prs_alc attributes
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value test_splitTunnelAcl
group-policy DfltGrpPolicy attributes
 vpn-filter value toPRS
username paul password t9J6s27TpT9WmKQl encrypted privilege 15
username paula password PBGipLbhHNLfRsmb encrypted privilege 15
username Lionel password 8XPF7KxvSMZLMaYA encrypted privilege 15
tunnel-group office_team type remote-access
tunnel-group office_team general-attributes
 address-pool office
 authentication-server-group RADIUS
tunnel-group office_team ipsec-attributes
 pre-shared-key XXX37
tunnel-group retail_team type remote-access
tunnel-group retail_team general-attributes
 address-pool retail
 authentication-server-group RADIUS
tunnel-group retail_team ipsec-attributes
 pre-shared-key XXX37
tunnel-group prs_alc type remote-access
tunnel-group prs_alc general-attributes
 address-pool prs_alc
 authentication-server-group RADIUS
 default-group-policy prs_alc
tunnel-group prs_alc ipsec-attributes
 pre-shared-key XXXXX1
tunnel-group demo_team type remote-access
tunnel-group demo_team general-attributes
 address-pool office
 authentication-server-group RADIUS
tunnel-group demo_team ipsec-attributes
 pre-shared-key XXX37
tunnel-group anz_users type remote-access
tunnel-group anz_users general-attributes
 address-pool retail
 authentication-server-group RADIUS
tunnel-group anz_users ipsec-attributes
 pre-shared-key XXX37
tunnel-group uat_team type remote-access
tunnel-group uat_team general-attributes
 address-pool uat_pool
 authentication-server-group RADIUS
tunnel-group uat_team ipsec-attributes
 pre-shared-key XXX37
tunnel-group techops_team type remote-access
tunnel-group techops_team general-attributes
 address-pool techops
 authentication-server-group RADIUS
tunnel-group techops_team ipsec-attributes
 pre-shared-key XXX37
tunnel-group p2h_retail_team type remote-access
tunnel-group p2h_retail_team general-attributes
 address-pool p2h_retail
 authentication-server-group RADIUS
tunnel-group p2h_retail_team ipsec-attributes
 pre-shared-key XXX37
tunnel-group X.X.X.94 type ipsec-l2l
tunnel-group X.X.X.94 ipsec-attributes
 pre-shared-key XXX80
tunnel-group X.X.X.170 type ipsec-l2l
tunnel-group X.X.X.170 ipsec-attributes
 pre-shared-key XXX87
tunnel-group X.X.X.46 type ipsec-l2l
tunnel-group X.X.X.46 ipsec-attributes
 pre-shared-key XXX173
tunnel-group X.X.X.252 type ipsec-l2l
tunnel-group X.X.X.252 ipsec-attributes
 pre-shared-key XXXHK
prompt hostname context 
Cryptochecksum:6e77d973dd9192a7a75dc2696b33ec4c

Open in new window

0
jaglin84
Asked:
jaglin84
1 Solution
 
DanJCommented:
Based on your description you don't need split tunnel. All the traffic goes through the ASA.
0
 
akhilwCommented:
The grp policy 'prs_alc'  is using split tunnel acl 'test_splitTunnelAcl'
access-list test_splitTunnelAcl standard permit any
which does not seem to be correct.

The split acl should be
access-list test_splitTunnelAcl standard permit <Your corporate network>

Looking at your other config, your split acl should be...
access-list test_splitTunnelAcl standard permit 10.1.2.0 255.255.255.0

0
 
asavenerCommented:
The problem is with the group policy; you need to specify the split tunnel method to be exclude specified and then select local network:

access-list Allow_Local_LAN standard permit host 0.0.0.0

group-policy prs_alc attributes
 vpn-tunnel-protocol IPSec
  split-tunnel-policy excludespecified
 split-tunnel-network-list value Allow_Local_LAN
0
 
jaglin84Author Commented:
Hi

Thanks!, managed to get it working with that!
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now