?
Solved

Cisco ASA 5520 Remote Access VPN - Windows 7 VPN Client - VPN established but doesn't work with split tunnel enabled

Posted on 2014-10-08
2
Medium Priority
?
788 Views
Last Modified: 2014-10-12
Hi,

I have configured our ASA 5520 (v8.4.1) to act as a VPN terminator using L2TP/IPSec with clients using the standard Windows 7 VPN client app.

I've setup what I think are the correct NAT rules, PAT'd the RA-VPN pool object to the external network and enabled hairpinning on the ASA. Everything works as expected when the Windows VPN client is set to open a Full tunnel - the tunnel is successfully established and I can access resources within the network behind the ASA. Also, when I browse the internet on the remote client - the traffic is routed through the ASA and appears to the world as if it originated from behind the ASA.

Things stop working however when I set the Windows VPN client to set up a split tunnel (by unchecking the "Use default gateway on remote network" setting of the VPN profile's network settings. When I do this, I CAN still establish the VPN tunnel - it gets the correct IP address, and when I browse the internet on this computer, it accesses the web using it's local internet connection (which is OK as this is what I expect with a split tunnel). HOWEVER, it can no longer access any resources behind the ASA - it doesn't seem to want to route any "internal VPN" traffic down the tunnel

I have configured the following on the ASA:

In the DefaultRAGroupPolicy, I have set the split tunnel policy to "Tunnel Network List Below" and then selected an access list I created that contains the subnet of the internal network (i.e. the network behind ASA). I have also enabled the "Intercept DHCP" setting for MS VPN clients.

access-list Split_Tunnel_List standard permit x.x.x.x 255.255.255.0 (sanitised the IP)

group-policy DefaultRAGroup attributes
...
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 intercept-dhcp enable
...

Any help that anyone could give would be most appreciated

Regards
0
Comment
Question by:irc-corp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 

Author Comment

by:irc-corp
ID: 40368912
An update...

When I open up a VPN connection with my iPhone using the Cisco VPN client built into iOS (v8.0.2), it works exactly as I expect it to - it can open up the VPN connection successfully and can access internal resources behind the ASA. Also, when I browse the internet, it doesn't route the traffic down the VPN tunnel, but just uses the local WIFI connection that the iPhone is connected to.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 40369572
if you route add the network behind the ASA can you talk to it?

see point 3 http://www.petenetlive.com/KB/Article/0000997.htm
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question