WAMSINC
asked on
split tunnel setup on asa 8.4 with asdm 6.4
we have anyconnect set up and working, except for split tunneling.
in the ASDM 6.4 I went to : remote access VPN > network (Client) access > group policies > GroupPolicy_anyconnect_vpn > edit > advanced > split tunneling > then unchecked "inherit" on network list and have selected an ACL called "SPLIT-TUNNEL"
the ACL is pasted below from the CLI, these are all of our internal networks, everything is static routed and on the same vlan
SG-ASA-1# sho access-list SPLIT-TUNNEL
access-list SPLIT-TUNNEL; 10 elements; name hash: 0x25b1daf1
access-list SPLIT-TUNNEL line 1 extended permit ip 192.168.100.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0xe3a9484b
access-list SPLIT-TUNNEL line 2 extended permit ip 192.168.105.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x377afd96
access-list SPLIT-TUNNEL line 3 extended permit ip 192.168.110.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x0b4d6f9c
access-list SPLIT-TUNNEL line 4 extended permit ip 192.168.120.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x7a6cc93f
access-list SPLIT-TUNNEL line 5 extended permit ip 192.168.130.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0xe228bdad
access-list SPLIT-TUNNEL line 6 extended permit ip 192.168.140.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x317f80c8
access-list SPLIT-TUNNEL line 7 extended permit ip 192.168.150.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0xe4c276b0
access-list SPLIT-TUNNEL line 8 extended permit ip 192.168.160.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x0c2dd3ab
access-list SPLIT-TUNNEL line 9 extended permit ip 192.168.170.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x00a4d4e3
access-list SPLIT-TUNNEL line 10 extended permit ip 192.168.180.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0xfb381008
SG-ASA-1#
after that setting in the ASDM group policy, we tested unsuccessfully yesterday morning. They can connect and ping any of those inside networks but no internet. The asa log showed the following when a vpn client tried to ping yahoo.com
6 Aug 14 2012 07:51:04 64.60.xxx.xxx 4397 206.169.203.226 1433 Routing failed to locate next hop for TCP from inside:64.60.xxx.xxx/4397 to outside:206.169.203.226/14 33
we can ping the inside network no problem after connecting to VPN from the outside.
64.60.xxx.xxx is our public IP that is on the outside interface which is the IP we use for vpn.ourdomain.com
thanks in advance for any help
in the ASDM 6.4 I went to : remote access VPN > network (Client) access > group policies > GroupPolicy_anyconnect_vpn
the ACL is pasted below from the CLI, these are all of our internal networks, everything is static routed and on the same vlan
SG-ASA-1# sho access-list SPLIT-TUNNEL
access-list SPLIT-TUNNEL; 10 elements; name hash: 0x25b1daf1
access-list SPLIT-TUNNEL line 1 extended permit ip 192.168.100.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0xe3a9484b
access-list SPLIT-TUNNEL line 2 extended permit ip 192.168.105.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x377afd96
access-list SPLIT-TUNNEL line 3 extended permit ip 192.168.110.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x0b4d6f9c
access-list SPLIT-TUNNEL line 4 extended permit ip 192.168.120.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x7a6cc93f
access-list SPLIT-TUNNEL line 5 extended permit ip 192.168.130.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0xe228bdad
access-list SPLIT-TUNNEL line 6 extended permit ip 192.168.140.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x317f80c8
access-list SPLIT-TUNNEL line 7 extended permit ip 192.168.150.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0xe4c276b0
access-list SPLIT-TUNNEL line 8 extended permit ip 192.168.160.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x0c2dd3ab
access-list SPLIT-TUNNEL line 9 extended permit ip 192.168.170.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0x00a4d4e3
access-list SPLIT-TUNNEL line 10 extended permit ip 192.168.180.0 255.255.255.0 192.168.22.96 255.255.255.224 (hitcnt=0) 0xfb381008
SG-ASA-1#
after that setting in the ASDM group policy, we tested unsuccessfully yesterday morning. They can connect and ping any of those inside networks but no internet. The asa log showed the following when a vpn client tried to ping yahoo.com
6 Aug 14 2012 07:51:04 64.60.xxx.xxx 4397 206.169.203.226 1433 Routing failed to locate next hop for TCP from inside:64.60.xxx.xxx/4397 to outside:206.169.203.226/14
we can ping the inside network no problem after connecting to VPN from the outside.
64.60.xxx.xxx is our public IP that is on the outside interface which is the IP we use for vpn.ourdomain.com
thanks in advance for any help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
in the asdm I went to the split tunnel section of the anyconnect policy, and created a new standard ACL as you suggested, and that did the trick, thanks!
ASKER