Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1789
  • Last Modified:

split tunnel setup on asa 8.4 with asdm 6.4

we have anyconnect set up and working, except for split tunneling.

in the ASDM 6.4 I went to : remote access VPN > network (Client) access > group policies >  GroupPolicy_anyconnect_vpn > edit > advanced > split tunneling > then unchecked "inherit" on network list and have selected an ACL called "SPLIT-TUNNEL"

the ACL is pasted below from the CLI, these are all of our internal networks, everything is static routed and on the same vlan

SG-ASA-1# sho access-list SPLIT-TUNNEL
access-list SPLIT-TUNNEL; 10 elements; name hash: 0x25b1daf1
access-list SPLIT-TUNNEL line 1 extended permit ip 192.168.100.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0xe3a9484b
access-list SPLIT-TUNNEL line 2 extended permit ip 192.168.105.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x377afd96
access-list SPLIT-TUNNEL line 3 extended permit ip 192.168.110.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x0b4d6f9c
access-list SPLIT-TUNNEL line 4 extended permit ip 192.168.120.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x7a6cc93f
access-list SPLIT-TUNNEL line 5 extended permit ip 192.168.130.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0xe228bdad
access-list SPLIT-TUNNEL line 6 extended permit ip 192.168.140.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x317f80c8
access-list SPLIT-TUNNEL line 7 extended permit ip 192.168.150.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0xe4c276b0
access-list SPLIT-TUNNEL line 8 extended permit ip 192.168.160.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x0c2dd3ab
access-list SPLIT-TUNNEL line 9 extended permit ip 192.168.170.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x00a4d4e3
access-list SPLIT-TUNNEL line 10 extended permit ip 192.168.180.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0xfb381008
SG-ASA-1#


after that setting in the ASDM group policy, we tested unsuccessfully yesterday morning. They can connect and ping any of those inside networks but no internet. The asa log showed the following when a vpn client tried to ping yahoo.com

6      Aug 14 2012      07:51:04            64.60.xxx.xxx      4397      206.169.203.226      1433      Routing failed to locate next hop for TCP from inside:64.60.xxx.xxx/4397 to outside:206.169.203.226/1433

we can ping the inside network no problem after connecting to VPN from the outside.

64.60.xxx.xxx is our public IP that is on the outside interface which is the IP we use for vpn.ourdomain.com

thanks in advance for any help
0
WAMSINC
Asked:
WAMSINC
  • 2
1 Solution
 
asavenerCommented:
Split tunnel ACLs should be standard access lists.

access-list SPLIT-TUNNEL line 1 standard permit ip 192.168.100.0 255.255.255.0

etc.
0
 
WAMSINCAuthor Commented:
thank you for the reply, I will test this weekend and get back to you
0
 
WAMSINCAuthor Commented:
in the asdm I went to the split tunnel section of the anyconnect policy, and created a new standard ACL as you suggested, and that did the trick, thanks!
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now