[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ASA5505 Remote VPN Split Tunneling can not access internet

Posted on 2011-10-24
4
Medium Priority
?
512 Views
Last Modified: 2012-05-12
I can not seem to get out to the internet once I connect with my VPN client. I'm sure it has to do with split tunneling but I can't figure out how to set it up with my current config. Any idea's?

ASA Version 8.2(5)
!
hostname ciscoasa
enable password 6ZoFBEConbp3Z7DJ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 71.x.x.x XO-Gateway
name 10.23.141.93 SEO1-IN
name 71.5.x.x SEO1-OUT
name 10.23.141.62 SEO2-IN
name 71.5.x.x SEO2-OUT
name 10.23.141.94 SEO3-IN
name 71.5.x.x SEO3-OUT
name 10.23.141.88 SEO4-IN
name 71.5.x.x SEO4-OUT
name 10.23.141.70 SEO5-IN
name 71.5.x.x SEO5-OUT
name 10.23.141.51 SEO6-IN
name 71.5.x.x SEO6-OUT
name 10.23.136.12 PTMS5-DMZ
name 71.5.x.x PTMS5-OUT
name 10.23.136.10 PTMS6-DMZ
name 71.5.x.x PTMS6-OUT
name 10.23.136.16 CarJockey-DMZ
name 71.5.x.x CarJockey-OUT
name 10.23.136.13 PTMSTECH-DMZ
name 71.5.x.x PTMSTECH-OUT
name 10.23.140.201 VPN-IPGROUP
name 10.10.10.0 AnyConnect-IP
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.23.140.51 255.255.252.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.x.x.x 255.255.255.224
!
interface Vlan3
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 10.23.136.51 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.23.140.5
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object icmp echo-reply
object-group service DM_INLINE_UDP_1 udp
 port-object eq netbios-dgm
 port-object eq netbios-ns
object-group service GlassFish tcp
 description GlassFish
 port-object eq 4848
 port-object eq 8080
object-group service RedMine tcp
 description RedMine
 port-object eq 3000
object-group service MySQL tcp
 description MySQL
 port-object eq 3306
 port-object eq 13306
object-group network AnyConnect-IP
 description AnyConnect-IP
 network-object AnyConnect-IP 255.255.255.0
object-group service TSPReport tcp
 description TSPReport
 port-object eq 8787
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq telnet
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_access_in extended permit udp any any eq tftp
access-list outside_access_in extended permit tcp any any eq irc
access-list outside_access_in extended permit tcp any any eq h323
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit tcp any any eq netbios-ssn
access-list outside_access_in extended permit udp any any object-group DM_INLINE_UDP_1
access-list outside_access_in extended permit tcp any any object-group GlassFish
access-list outside_access_in extended permit tcp any any object-group RedMine
access-list outside_access_in extended permit tcp any any object-group MySQL
access-list outside_access_in extended permit tcp any any object-group TSPReport
access-list nonat extended permit ip 10.23.140.0 255.255.252.0 10.23.136.0 255.255.255.0
access-list nonat extended permit ip any object-group AnyConnect-IP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool VPN-POOL 10.10.10.5-10.10.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 10.23.136.0 255.255.255.0
static (inside,outside) SEO1-OUT SEO1-IN netmask 255.255.255.255
static (inside,outside) SEO2-OUT SEO2-IN netmask 255.255.255.255
static (inside,outside) SEO3-OUT SEO3-IN netmask 255.255.255.255
static (inside,outside) SEO4-OUT SEO4-IN netmask 255.255.255.255
static (inside,outside) SEO5-OUT SEO5-IN netmask 255.255.255.255
static (inside,outside) SEO6-OUT SEO6-IN netmask 255.255.255.255
static (DMZ,outside) PTMS5-OUT PTMS5-DMZ netmask 255.255.255.255
static (DMZ,outside) PTMS6-OUT PTMS6-DMZ netmask 255.255.255.255
static (DMZ,outside) CarJockey-OUT CarJockey-DMZ netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XO-Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server PTMS-AD protocol ldap
aaa-server PTMS-AD (inside) host 10.23.140.5
 timeout 5
 server-type auto-detect
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map DMZ_map interface DMZ
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable DMZ
crypto isakmp policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable inside
 enable outside
 enable DMZ
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 dns-server value 10.23.140.5
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username ptms-vpn1 password CdC4g4xwGZqPuXm3 encrypted privilege 15
username ptms-vpn2 password CdC4g4xwGZqPuXm3 encrypted privilege 0
username ptms-vpn2 attributes
 vpn-group-policy DfltGrpPolicy
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
 address-pool VPN-POOL
tunnel-group AnyConnect webvpn-attributes
 group-alias AnyConnect enable
 group-url https://71.x.x.x/AnyConnect enable
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b8aec38aa38097cac84f849a815909e3
: end
0
Comment
Question by:adanser83
  • 2
4 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 37018243
You have two choices:  either split tunnel and have Internet traffic go out directly from the client, or you "hairpin" traffic at the ASA to redirect it to go outside, along with doing the appropriate NAT on it.  For the first you need to specify an ACL for what destinations go through the IPSec tunnel (your internal LANs); for the second option, you need a nat (outside) 1 command and you may need to adjust your no-nat ACL.  Your no-nat ACL should be no-nating anything going from the inside to your VPN pool address range.
0
 

Author Comment

by:adanser83
ID: 37018259
can you provide split tunnel example command?
0
 
LVL 17

Accepted Solution

by:
max_the_king earned 2000 total points
ID: 37018289
hi,

run the following commands:

access-list splittunnel permit 10.23.140.0 255.255.252.0

and into the group-policy:

group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel

it should work
0
 

Author Comment

by:adanser83
ID: 37018546
I knew it had to be something simple like that. Thank you so much! Everything is running great now.
0

Featured Post

Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question