troubleshooting Question

Cisco ASA5505 AnyConnect with Split tunnel not working

Avatar of Adi Nuff
Adi Nuff asked on
VPNNetwork Security
5 Comments1 Solution3112 ViewsLast Modified:
Hi,  I am unable to get the Split Tunnel functioanlitty to work with the ASA 5505 and the Any Connect VPN.   The client can connect fine, they can ping and access file shares through the tunnel but cannot browse the internet even though the split tunnel has been configured.  Please help, config is below, this not in prduction as yet and just in test phase.


ASA Version 8.4(3)
!
hostname ciscoasa
enable password t6ztMZU.rr3gsD1B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.200.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.141 255.255.255.248
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.200.0_24
 subnet 192.168.200.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.16_28
 subnet 192.168.200.16 255.255.255.240
access-list vpn remark lan
access-list vpn standard permit 192.168.200.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool pips-pool 192.168.200.20-192.168.200.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.168.200.16_28 NETWORK_OBJ_192.168.200.16_28 no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 1.1.1.137 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server pips-ldap protocol ldap
aaa-server pips-ldap (inside) host 192.168.200.1
 timeout 5
 ldap-base-dn dc=pips,dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn support
 server-type microsoft
http server enable
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_AnyConnect-vpn internal
group-policy GroupPolicy_AnyConnect-vpn attributes
 wins-server none
 dns-server value 192.168.200.1
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelall
 split-tunnel-network-list value vpn
 default-domain value pips.local
tunnel-group AnyConnect-vpn type remote-access
tunnel-group AnyConnect-vpn general-attributes
 address-pool pips-pool
 authentication-server-group pips-ldap
 default-group-policy GroupPolicy_AnyConnect-vpn
tunnel-group AnyConnect-vpn webvpn-attributes
 group-alias AnyConnect-vpn enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:eb367265e327e03e13e434348dba4145
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 1 Answer and 5 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 5 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros