Solved

Can a Cisco ASA Site-to-site VPN configuration use split-tunneling ?

Posted on 2016-09-25
8
65 Views
Last Modified: 2016-10-11
Hi all -

I have a pair of Cisco ASA 5505s at two different physical locations and I'd like to setup a site-to-site VPN between them.  I am not knowledgeable with CLI but I know my way around ASDM fairly well. When I use the IPSec VPN Wizard in ASDM, I can easily get the two sites talking to each other through the VPN tunnel. But, when I do so the users at each end lose their Internet access.

I am almost certain this is some kind of NAT issue. My best guess based on my own knowledge and some searching is that traffic coming from the inside interface intended for the Internet is not being NAT'ed to the outside interface.  if this were a remote user VPN with client software, I could setup split-tunneling. But, I'm not sure if that option exists for site-to-site VPNs.

Is there a way I can get around this problem and still use ASDM to configure my tunnel?

Any help would be greatly appreciated.  Thanks.
0
Comment
Question by:chris-ce
8 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 41815381
Hi,

Not sure if NATTING is the problem. Sounds more like a forgotten ACL, connection profile or policy.
Have a look at this link which is troubleshooting your issue picture by picture.

Cheers
0
 
LVL 17

Expert Comment

by:lruiz52
ID: 41815399
Can you post your sanitized configs. You may be missing something, check your crypto maps.
0
 

Author Comment

by:chris-ce
ID: 41815972
OK, I will take a look at the link provided by Patricksr1972 and, when I begin working on this again later today, I'll see if I can get the configuration as perIruiz52.  I'm not real comfortable in the CLi . . . would sh config be the correct command to get what you suggested?

Thanks.
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 41815988
Sh run would do the trick
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 13

Expert Comment

by:SIM50
ID: 41816066
When you configure site-to-site VPN, you specify networks between which the traffic should be encrypted. This is called interesting traffic. It's very similar to functionality of split tunnel config.

I believe the problem is not with NAT but with your ACLs for interesting traffic. Don't use keyword "any" in them, be specific. For example, if your local network is 192.168.1.0/24 and remote is 192.168.2.0/24, your ACL should look like this:
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
0
 

Author Comment

by:chris-ce
ID: 41817054
Sorry it took so long. Here is the running configuration from one of the ASA 5505s:

: Saved
:
ASA Version 8.2(5)
!
hostname lazboyasa
enable password 8hTuyGMy7T3EgFE/ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 70.89.65.185 255.255.255.0
!
boot system disk0:/asa824-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 any
access-list capout extended permit udp host 24.144.6.166 host 70.89.65.185 eq isakmp
access-list capout extended permit udp host 70.89.65.185 eq isakmp host 24.144.6.166
access-list outside_access_in extended permit tcp any interface outside eq telnet
access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface telnet 192.168.2.200 telnet netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.89.65.190 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 24.144.6.166
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 184.185.213.135
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer 108.58.161.138
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.2.50-192.168.2.99 inside
dhcpd dns 4.2.2.1 68.87.74.162 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy lazboyLR internal
group-policy lazboyLR attributes
 vpn-idle-timeout none
 vpn-session-timeout none
username admin password SVK6WmtHMumVI2iT encrypted privilege 15
tunnel-group 24.144.6.166 type ipsec-l2l
tunnel-group 24.144.6.166 ipsec-attributes
 pre-shared-key *****
tunnel-group 184.185.213.135 type ipsec-l2l
tunnel-group 184.185.213.135 ipsec-attributes
 pre-shared-key *****
tunnel-group 108.58.161.138 type ipsec-l2l
tunnel-group 108.58.161.138 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:17303bda9a0834d211ca7600eb49bb80
: end
0
 
LVL 15

Accepted Solution

by:
max_the_king earned 500 total points
ID: 41817653
Hi,
please try this:

no nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 1 192.168.2.0 255.255.255.0

it should work.

After testing, you may want to do the same thing on the opposite ASA, with its corresponding internal vlan.

hope this helps
max
0
 

Author Closing Comment

by:chris-ce
ID: 41838801
Sorry for the delay in replying. This issue arose while I was traveling on business and I have just returned.  Thank you for all the excellent suggestions.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now