• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2786
  • Last Modified:

Cisco ASA5505 VPN Split-dns And split-tunnelling

I am currently trying to get my Cisco VPN working so when I connect up to my VPN I am then able to view web pages / surf the internet the other side of the ASA.
I have enabled Split Tunneling and that seems to be working fine as I am able to surf the internet localy and can send and receieve emails ok.
On the side of the Cisco ASA 5505 I have a domain controler which acts as my DNS server.
The server is called winserver01.domain.local its IP address is 172.16.1.1
I have attached my current running config which i hope will be clear and straight forward for the experts.
 Cisco-Config.txt
0
Robert_Rayworth
Asked:
Robert_Rayworth
  • 9
  • 7
1 Solution
 
MikeKaneCommented:

I don't see a question in your post.    What help are you looking to get here?
0
 
Robert_RayworthAuthor Commented:
Hi Mike what I am trying to do is when I am connected up to my VPN on my iPad to be able to use the internet at home which is where I VPN to. If I go to a web page currently whilst on the VPN and google whats my IP it gives me the IP address of the mobile phone provider which internet traffic has content filtering on. So I am after all the internet traffic to go out via my home internet provider not locallly hope this is more clearer
0
 
MikeKaneCommented:
OK -  Your VPN is setup as a split-tunnel.

access-list split-tunnel standard permit 172.16.1.0 255.255.255.0

This split tunnel config will only tunnel traffic that is bound for 172.16.1.0.      If you want to tunnel all traffic, just don't use the split tunnel setup.  

Remove the split tunnel description from here:
group-policy rayworthvpn attributes
 dns-server value 172.16.1.1
 vpn-tunnel-protocol IPSec
 password-storage enable
split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel

 default-domain value domain.local
 split-dns value domain.local
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Robert_RayworthAuthor Commented:
Hi Mike thanks for the response but just need to clarify a few things
So are you saying I need to delete the split tunnel?
What exactly am i removing the bit you put in bold or all of the config you wrote out above?
Just a bit confused
What commands do I run to remove the config you are saying can this be done through the ASDM Gui?
Thanks for your assistance
0
 
MikeKaneCommented:
The split tunnel is what defines what traffic is sent across the VPN tunnel.   If the traffic matches the split tunnel ACL, then the traffic is encrypted to the VPN, if it doesn't, then its sent out the default gateway.  

To remove the split tunnel and encrypt all traffic, you ject need to remove those 2 lines.  

split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
0
 
Robert_RayworthAuthor Commented:
What is the easiest way to remove these lines is there a proper command?
0
 
Robert_RayworthAuthor Commented:
Ok I have removed those two lines and editing the config in notepad and then pasting it back .

I am still getting the same issues as before when I do a whaysmyip its giving me the one of the mobile internet provider and when I browse the internet certian websites are still getting blocked as the internet traffic is not going out through the VPN
I have copied bellow my current running config
Do you think the issue could be with the split dns??? Current.txt
0
 
Robert_RayworthAuthor Commented:
Any ideas anyone??
0
 
MikeKaneCommented:
You can't just paste it in. You need to negate the command on the AAA with a 'no' in front of it.    If you SHOW RUN now,those lines are probably still there
0
 
Robert_RayworthAuthor Commented:
Thanks ever so much i will have a look tonight and let you know
0
 
MikeKaneCommented:
OK.   AFter you negate the commands, do a SHOW RUN and verify that the config is, in fact, removed.   Then Retest and see what you get.
0
 
Robert_RayworthAuthor Commented:
I did a show run and you are right these lines were still in the config.
I tried to negate them as you suggested but the command doesn't seem to work

This was the output



User Access Verification

Username: admin
Password: ********
Type help or '?' for a list of available commands.
ASA5505> enable
Password: ****
ASA5505# conf t
ASA5505(config)# no split-tunnel-policy tunnelspecified
                     ^
ERROR: % Invalid input detected at '^' marker.
ASA5505(config)#

Connection to host lost.

c:\>
0
 
MikeKaneCommented:
Im sorry, I should have made it clearer.   You need to be in the group policy section to negate those commands.  

For example:

enable
config t
group-policy rayworthvpn attributes  <---  this gets you 'into' that policy
no split-tunnel-policy tunnelspecified

end
0
 
Robert_RayworthAuthor Commented:
ok I ran both the command in like you mentioned above but am now long longer able to browse the internet when VPN
Do I need to add anymore to the config, do I need to make any changes to my DNS settings?
My AD and DNS server is called WINSERVER01.domain.local which all works fine internally



User Access Verification

Username: admin
Password: ********
Type help or '?' for a list of available commands.
ASA5505> enable
Password: ****
ASA5505#
ASA5505#
ASA5505# config t
ASA5505(config)# group-policy rayworthvpn attributes
ASA5505(config-group-policy)# no split-tunnel-policy tunnelspecified
ASA5505(config-group-policy)# no split-tunnel-network-list value split-tunnel
ASA5505(config-group-policy)# end
ASA5505#

Connection to host lost.

c:\>

And this is the current show run



User Access Verification

Username: admin
Password: ********
Type help or '?' for a list of available commands.
ASA5505> enable
Password: ****
ASA5505# show run
: Saved
:
ASA Version 8.3(1)
!
hostname ASA5505
domain-name domain.local
enable password VOwq8/1m32vK4uiI encrypted
passwd A5XOy94YKDPXCo7U encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.1.254 255.255.255.0
!
interface Vlan2
 mac-address 0024.813b.b0eb
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 194.168.4.100
 name-server 194.168.8.100
 domain-name domain.local
same-security-traffic permit inter-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network internal_lan
 subnet 172.16.1.0 255.255.255.0
object network AXIS
 host 172.16.1.101
object network Vuze
 host 172.16.1.11
object network AXIS-Camera
 host 172.16.1.101
object network Workstation-1
 host 172.16.1.11
object network NETWORK_OBJ_192.168.1.48_28
 subnet 192.168.1.48 255.255.255.240
object network NETWORK_OBJ_172.16.1.48_28
 subnet 172.16.1.48 255.255.255.240
object network NETWORK_OBJ_172.16.1.0_26
 subnet 172.16.1.0 255.255.255.192
object-group service DM_INLINE_SERVICE_1
 service-object tcp destination eq 42270
 service-object udp destination eq 42271
object-group service 42270 tcp
 port-object eq 42270
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any object AXIS-Camera eq www
access-list outside_in extended permit object-group DM_INLINE_SERVICE_1 any obje
ct Workstation-1
access-list split-tunnel standard permit 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.16.1.50-172.16.1.60 mask 255.255.255.0
ip local pool vpndhcp 172.16.1.30-172.16.1.40 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16
8.1.48_28 NETWORK_OBJ_192.168.1.48_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16
.1.0_26 NETWORK_OBJ_172.16.1.0_26
!
object network internal_lan
 nat (inside,outside) dynamic interface
object network AXIS
 nat (inside,outside) static interface service tcp www www
object network Vuze
 nat (inside,outside) static interface service tcp 42270 42270
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 5
ssh 100.100.100.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 172.16.1.10-172.16.1.40 inside
dhcpd dns 194.168.4.100 interface inside
dhcpd wins 194.168.8.100 interface inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy rayworthvpn internal
group-policy rayworthvpn attributes
 dns-server value 172.16.1.1
 vpn-tunnel-protocol IPSec
 password-storage enable
 default-domain value domain.local
 split-dns value domain.local
username admin password PszPtwkjAGVnHxyQ encrypted privilege 15
username user1 password A5XOy94YKDPXCo7U encrypted privilege 15
tunnel-group rayworthvpn type remote-access
tunnel-group rayworthvpn general-attributes
 address-pool vpndhcp
 default-group-policy rayworthvpn
tunnel-group rayworthvpn ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3dcce764c976ad4b7c6e75c30ed266a0
: end
ASA5505#

0
 
MikeKaneCommented:
>>My AD and DNS server is called WINSERVER01.domain.local which all works fine internally
I take it this is your DNS, correct?
group-policy rayworthvpn attributes
 dns-server value 172.16.1.1


To verify it is working, just have any vpn client run an NSLOOKUP and enter in any fqdn (i.e. www.google.com) and they should get a response from 172.16.1.1.

I think you are just missing an outbound NAT for the VPN local pool.    This can be verified with a SHOW LOG on the ASA after a vpn client tries to get outbound.

You already have one for the internal LAN here:
object network internal_lan
 nat (inside,outside) dynamic interface


So you just need to add one for the VPN's local pool range which comes in from the outside.    This is the newer post 8.3 code format, so I think it would be:
object network internal_lan
 nat (outside,outside) dynamic interface


In the pre 8.3 code I would have just added the vpn local pool to the global nat, I think we need to add that item coming from the outside....
0
 
Robert_RayworthAuthor Commented:
DNS was all good the only issue I had was I needed to run two more commands to allow traffic pack out the same interface it was coming in on
A quick search of google and I found them
Thanks very much for all you time and assistance
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 9
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now