Solved

Cisco ASA 5520 Remote Access VPN - Windows 7 VPN Client - VPN established but doesn't work with split tunnel enabled

Posted on 2014-10-08
2
761 Views
Last Modified: 2014-10-12
Hi,

I have configured our ASA 5520 (v8.4.1) to act as a VPN terminator using L2TP/IPSec with clients using the standard Windows 7 VPN client app.

I've setup what I think are the correct NAT rules, PAT'd the RA-VPN pool object to the external network and enabled hairpinning on the ASA. Everything works as expected when the Windows VPN client is set to open a Full tunnel - the tunnel is successfully established and I can access resources within the network behind the ASA. Also, when I browse the internet on the remote client - the traffic is routed through the ASA and appears to the world as if it originated from behind the ASA.

Things stop working however when I set the Windows VPN client to set up a split tunnel (by unchecking the "Use default gateway on remote network" setting of the VPN profile's network settings. When I do this, I CAN still establish the VPN tunnel - it gets the correct IP address, and when I browse the internet on this computer, it accesses the web using it's local internet connection (which is OK as this is what I expect with a split tunnel). HOWEVER, it can no longer access any resources behind the ASA - it doesn't seem to want to route any "internal VPN" traffic down the tunnel

I have configured the following on the ASA:

In the DefaultRAGroupPolicy, I have set the split tunnel policy to "Tunnel Network List Below" and then selected an access list I created that contains the subnet of the internal network (i.e. the network behind ASA). I have also enabled the "Intercept DHCP" setting for MS VPN clients.

access-list Split_Tunnel_List standard permit x.x.x.x 255.255.255.0 (sanitised the IP)

group-policy DefaultRAGroup attributes
...
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 intercept-dhcp enable
...

Any help that anyone could give would be most appreciated

Regards
0
Comment
Question by:irc-corp
2 Comments
 

Author Comment

by:irc-corp
ID: 40368912
An update...

When I open up a VPN connection with my iPhone using the Cisco VPN client built into iOS (v8.0.2), it works exactly as I expect it to - it can open up the VPN connection successfully and can access internal resources behind the ASA. Also, when I browse the internet, it doesn't route the traffic down the VPN tunnel, but just uses the local WIFI connection that the iPhone is connected to.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40369572
if you route add the network behind the ASA can you talk to it?

see point 3 http://www.petenetlive.com/KB/Article/0000997.htm
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question