Cisco ASA 5520 Remote Access VPN - Windows 7 VPN Client - VPN established but doesn't work with split tunnel enabled
Posted on 2014-10-08
I have configured our ASA 5520 (v8.4.1) to act as a VPN terminator using L2TP/IPSec with clients using the standard Windows 7 VPN client app.
I've setup what I think are the correct NAT rules, PAT'd the RA-VPN pool object to the external network and enabled hairpinning on the ASA. Everything works as expected when the Windows VPN client is set to open a Full tunnel - the tunnel is successfully established and I can access resources within the network behind the ASA. Also, when I browse the internet on the remote client - the traffic is routed through the ASA and appears to the world as if it originated from behind the ASA.
Things stop working however when I set the Windows VPN client to set up a split tunnel (by unchecking the "Use default gateway on remote network" setting of the VPN profile's network settings. When I do this, I CAN still establish the VPN tunnel - it gets the correct IP address, and when I browse the internet on this computer, it accesses the web using it's local internet connection (which is OK as this is what I expect with a split tunnel). HOWEVER, it can no longer access any resources behind the ASA - it doesn't seem to want to route any "internal VPN" traffic down the tunnel
I have configured the following on the ASA:
In the DefaultRAGroupPolicy, I have set the split tunnel policy to "Tunnel Network List Below" and then selected an access list I created that contains the subnet of the internal network (i.e. the network behind ASA). I have also enabled the "Intercept DHCP" setting for MS VPN clients.
access-list Split_Tunnel_List standard permit x.x.x.x 255.255.255.0 (sanitised the IP)
group-policy DefaultRAGroup attributes
split-tunnel-network-list value Split_Tunnel_List
Any help that anyone could give would be most appreciated