Link to home
Start Free TrialLog in
Avatar of nick_kessler

asked on

Cisco VPN on Mac

We have recently installed a Cisco ASA5510 (Sec +) and had it configured apples to apples with previous firewall, which was to allow email, HTTP, HTTPS and Terminal Services. We then setup a VPN in an effort to close off the Terminal Service port, so only access to terminal server is if connected to VPN...

So, everything works perfect on a PC, I installed Cisco VPN Client, connect to the vpn and can then connect to terminal server. If no VPN connection, cannot connect to terminal server. In both connected and disconnected states I can open browser and use web. BUT...

On a Mac, with OS X (brand new Mac Book Pro's al 64bit), once I connec to the VPN, I lose internet access, and cannot connect to nor ping any of the servers on my network, especially the terminal server. If I disconnect the VPN, I regain access to internet.

A little background information, our network is setup to use 192.168.1.x and while we are planning to change, while setting up the VPN, we realized that users on home networks are more than likely having the same IP scheme, so we setup the VPN to use 10.0.0.x  Something tells me the Mac, when connected, is not receiving the 10.0.0.x address and there's an IP conflict. Could that be the case?

Either way, ANY help appreciated, I've also tried to connect with AnyConnect on the Mac, the connection works just fine, but once connected, no internet or access to terminal server.
Avatar of OxygenITSolutions

This sounds like a DNS issue. Can you manually add a DNS when on the VPN to confirm?
Avatar of nick_kessler


I really have no use on the Mac side, so can you assist with your request to manually add a DNS? But think you may be on to something with it being a DNS issue...
First of all sorry to hear you installed Cisco. My condolences.
For your problem you did not tell us if you try to reach server by IP or name. If indeed you use name I suspect it's a split DNS problem. You should be able to enter DNS entries in the client but I'm not sure since I don't know the Cisco stuff. Don't use Cisco for VPN - too low end and too flaky for my taste.
@Allvirtual, please keep your opinion for yourself. Many folks out there use Cisco and have found Cisco ASA to a grade firewall.
To return on the question:

There are several commands you need to check:
group-policy IPSEC-SSL_VPN_Policy attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value LOCAL_splitTunnelACL
    default-domain value domain.local
    split-dns value domain.local

Open in new window

for both IPsec and SSL VPN (AnyConnect) policies. You can consult the Command reference guide for the right syntax.

I have users with Mac OS 32- and 64-bit OS as well as PC clients 32/64 using IPsec and AnyConnect VPN without any problems.
Really appreciate your response spaperov.

Being very new to the ASA, I'm a bit unsure what to do with your request. I have putty and can access the command line interface, but don't want to mess things up. Should I copy your commands and paste them into the command line for results?

One thing I should mention, when I am connected to AnyConnect, and I try to pull up an RDP session, I am trying both internal IP and computer name, same results, nothing...
Now getting an Error 51 when trying to launch the Cisco VPN software on the Mac...
No, you cannot just copy/past the lines that I have provided you with. This is just an example.

If you are more familiar with ASDM you can do the configuration there. Basically, you need split tunnelling and split dns.
Was more comfortable in ASDM, and when checking it appears split tunneling and split DNS is setup, when I checked the routing table on the Mac, shows

As for Error 51, it was incompatibility on Cisco client on Mac OS 10.6, got that working OK by manually adding the built-in Cisco IPSec client.
I know this has been a while, re-installing the vpn over the top generally resolves most errors.
Avatar of nick_kessler

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Have you checked that the option to 'send all traffic over VPN connection' is unchecked in the OS X VPN advanced options tab?

Received answer directly from manufacturer, limitation of 3rd party product