Solved

Cisco ASA 5520 Remote Access VPN - Windows 7 VPN Client - VPN established but doesn't work with split tunnel enabled

Posted on 2014-10-08
2
774 Views
Last Modified: 2014-10-12
Hi,

I have configured our ASA 5520 (v8.4.1) to act as a VPN terminator using L2TP/IPSec with clients using the standard Windows 7 VPN client app.

I've setup what I think are the correct NAT rules, PAT'd the RA-VPN pool object to the external network and enabled hairpinning on the ASA. Everything works as expected when the Windows VPN client is set to open a Full tunnel - the tunnel is successfully established and I can access resources within the network behind the ASA. Also, when I browse the internet on the remote client - the traffic is routed through the ASA and appears to the world as if it originated from behind the ASA.

Things stop working however when I set the Windows VPN client to set up a split tunnel (by unchecking the "Use default gateway on remote network" setting of the VPN profile's network settings. When I do this, I CAN still establish the VPN tunnel - it gets the correct IP address, and when I browse the internet on this computer, it accesses the web using it's local internet connection (which is OK as this is what I expect with a split tunnel). HOWEVER, it can no longer access any resources behind the ASA - it doesn't seem to want to route any "internal VPN" traffic down the tunnel

I have configured the following on the ASA:

In the DefaultRAGroupPolicy, I have set the split tunnel policy to "Tunnel Network List Below" and then selected an access list I created that contains the subnet of the internal network (i.e. the network behind ASA). I have also enabled the "Intercept DHCP" setting for MS VPN clients.

access-list Split_Tunnel_List standard permit x.x.x.x 255.255.255.0 (sanitised the IP)

group-policy DefaultRAGroup attributes
...
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 intercept-dhcp enable
...

Any help that anyone could give would be most appreciated

Regards
0
Comment
Question by:irc-corp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 

Author Comment

by:irc-corp
ID: 40368912
An update...

When I open up a VPN connection with my iPhone using the Cisco VPN client built into iOS (v8.0.2), it works exactly as I expect it to - it can open up the VPN connection successfully and can access internal resources behind the ASA. Also, when I browse the internet, it doesn't route the traffic down the VPN tunnel, but just uses the local WIFI connection that the iPhone is connected to.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40369572
if you route add the network behind the ASA can you talk to it?

see point 3 http://www.petenetlive.com/KB/Article/0000997.htm
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question