Solved

Cisco ASA 5520 Remote Access VPN - Windows 7 VPN Client - VPN established but doesn't work with split tunnel enabled

Posted on 2014-10-08
2
750 Views
Last Modified: 2014-10-12
Hi,

I have configured our ASA 5520 (v8.4.1) to act as a VPN terminator using L2TP/IPSec with clients using the standard Windows 7 VPN client app.

I've setup what I think are the correct NAT rules, PAT'd the RA-VPN pool object to the external network and enabled hairpinning on the ASA. Everything works as expected when the Windows VPN client is set to open a Full tunnel - the tunnel is successfully established and I can access resources within the network behind the ASA. Also, when I browse the internet on the remote client - the traffic is routed through the ASA and appears to the world as if it originated from behind the ASA.

Things stop working however when I set the Windows VPN client to set up a split tunnel (by unchecking the "Use default gateway on remote network" setting of the VPN profile's network settings. When I do this, I CAN still establish the VPN tunnel - it gets the correct IP address, and when I browse the internet on this computer, it accesses the web using it's local internet connection (which is OK as this is what I expect with a split tunnel). HOWEVER, it can no longer access any resources behind the ASA - it doesn't seem to want to route any "internal VPN" traffic down the tunnel

I have configured the following on the ASA:

In the DefaultRAGroupPolicy, I have set the split tunnel policy to "Tunnel Network List Below" and then selected an access list I created that contains the subnet of the internal network (i.e. the network behind ASA). I have also enabled the "Intercept DHCP" setting for MS VPN clients.

access-list Split_Tunnel_List standard permit x.x.x.x 255.255.255.0 (sanitised the IP)

group-policy DefaultRAGroup attributes
...
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 intercept-dhcp enable
...

Any help that anyone could give would be most appreciated

Regards
0
Comment
Question by:irc-corp
2 Comments
 

Author Comment

by:irc-corp
Comment Utility
An update...

When I open up a VPN connection with my iPhone using the Cisco VPN client built into iOS (v8.0.2), it works exactly as I expect it to - it can open up the VPN connection successfully and can access internal resources behind the ASA. Also, when I browse the internet, it doesn't route the traffic down the VPN tunnel, but just uses the local WIFI connection that the iPhone is connected to.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
Comment Utility
if you route add the network behind the ASA can you talk to it?

see point 3 http://www.petenetlive.com/KB/Article/0000997.htm
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now