Solved

Cisco ASA 5520 Remote Access VPN - Windows 7 VPN Client - VPN established but doesn't work with split tunnel enabled

Posted on 2014-10-08
2
766 Views
Last Modified: 2014-10-12
Hi,

I have configured our ASA 5520 (v8.4.1) to act as a VPN terminator using L2TP/IPSec with clients using the standard Windows 7 VPN client app.

I've setup what I think are the correct NAT rules, PAT'd the RA-VPN pool object to the external network and enabled hairpinning on the ASA. Everything works as expected when the Windows VPN client is set to open a Full tunnel - the tunnel is successfully established and I can access resources within the network behind the ASA. Also, when I browse the internet on the remote client - the traffic is routed through the ASA and appears to the world as if it originated from behind the ASA.

Things stop working however when I set the Windows VPN client to set up a split tunnel (by unchecking the "Use default gateway on remote network" setting of the VPN profile's network settings. When I do this, I CAN still establish the VPN tunnel - it gets the correct IP address, and when I browse the internet on this computer, it accesses the web using it's local internet connection (which is OK as this is what I expect with a split tunnel). HOWEVER, it can no longer access any resources behind the ASA - it doesn't seem to want to route any "internal VPN" traffic down the tunnel

I have configured the following on the ASA:

In the DefaultRAGroupPolicy, I have set the split tunnel policy to "Tunnel Network List Below" and then selected an access list I created that contains the subnet of the internal network (i.e. the network behind ASA). I have also enabled the "Intercept DHCP" setting for MS VPN clients.

access-list Split_Tunnel_List standard permit x.x.x.x 255.255.255.0 (sanitised the IP)

group-policy DefaultRAGroup attributes
...
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 intercept-dhcp enable
...

Any help that anyone could give would be most appreciated

Regards
0
Comment
Question by:irc-corp
2 Comments
 

Author Comment

by:irc-corp
ID: 40368912
An update...

When I open up a VPN connection with my iPhone using the Cisco VPN client built into iOS (v8.0.2), it works exactly as I expect it to - it can open up the VPN connection successfully and can access internal resources behind the ASA. Also, when I browse the internet, it doesn't route the traffic down the VPN tunnel, but just uses the local WIFI connection that the iPhone is connected to.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40369572
if you route add the network behind the ASA can you talk to it?

see point 3 http://www.petenetlive.com/KB/Article/0000997.htm
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question