RA VPN on ASA and Split Tunneling

Similar Messages

• IP Phone SSL VPN and Split tunneling

  Hi Team,
  I went throught the following document which is very useful:
  https://supportforums.cisco.com/docs/DOC-9124
  The only things i'm not sure about split-tunneling point:
  Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  I could see many implementation when they used split-tunneling, like one of my customer:
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  banner value This system is only for Authorized users.
  dns-server value 10.64.10.13 10.64.10.14
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value prod.mobily.lan
  address-pools value SSLClientPool
  webvpn
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask none default anyconnect
  username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
  username manager-max attributes
  vpn-group-policy GroupPolicy1
  tunnel-group PhoneVPN type remote-access
  tunnel-group PhoneVPN general-attributes
  address-pool SSLClientPool
  authentication-server-group AD
  default-group-policy GroupPolicy1
  tunnel-group PhoneVPN webvpn-attributes
  group-url https://84.23.107.10 enable
  ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
  access-list split-tunnel remark split-tunnel network list
  access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
  It is working for them w/o any issue.
  My question would be
  - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
  Thanks!
  Eva

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN

  I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
  The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP.  We have a DNS server set up in AWS for any DNS queries for the remote domain name.
  My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
  I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query.  Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
  Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?

  Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface.  Try to be more restrictive than an '...ip any any' rule for outside_in connections.  For instance, this is what I have for incoming VOIP (access list and nat rules):
  access list rule:
  access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
  nat rule:
  nat (inside,outside) source static server interface service voip-range voip-range
  - 'server' is a network object *
  - 'voip-range' is a service group range
  I'd assume you can do something similar here in combination with my earlier comment:
  access-list incoming extended permit tcp any any eq 5900
  Can you explain your forwarding methodology a little more?  I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to.  Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

• AnyConnecy VPN and Split-tunnel ACL - Strange...

  Hi,
  I have ACL as follows and applied on AnyConnect VPN group as split-tunel value ACL.
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq www
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq https
  When I connected with AnyConnect client, I can ping to 192.168.200.63 and also telnet to port 80. However I can not telnet to port 443. Strange thing is I do not see any hits on above ACL, morever I'm wondering how cam the ICMP is working and why it does not stop on this ACL..?
  Phase: 4
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x78e03140, priority=11, domain=permit, deny=true
          hits=113713, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
          input_ifc=outside, output_ifc=any
  When I did the packet-tracer both ICMP and http it just drop on Phase 4..as bellow, I just want to know what this ACL and where its been applied to..?
  What is the correct syntax for packet-tracer command when troubleshooting AnyConnect VPN to check access inside/dmz server..?
  I have used as follows:
  packet-tracer input outside icmp 172.16.1.1 0 8 192.168.200.63 details
  Appreciate if someone can help me out on this..
  thanks

  To start with it is not ideal to configure a port based split tunnel. It is not support and will give you weird results like one you are experiencing. You should use standard access-list for the split tunnel and to restrict the users to the following port use vpn filter.
  As far as packet tracer is concerned for the VPN client if you use the outside interface as source it will never work the reason is the connection between the ASA and the client is of real IP address (Public) and the traffic that you are testing with is a VPN encrypted traffic your ASA's outside interface doesn't know what is 172.16.1.1, he will check it against the outside access-list and will drop it.
  So in your case i would strongly recommed that use standard access-list for the split tunnel and to restrict the user to specific port use vpn filter. Following are the links to configure the same:
  Allow Split Tunnel for Anyconnect:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
  Configure VPN filter (Its for site to site and remote access but it works the same for Anyconnect):
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
  Thanks
  Jeet Kumar

• Issues with basic VPN setup and split tunneling

  I have created an SSL VPN to a CISCO ASA 8.6 running ASDM 6.6.
  Im able to connect to the VPN and reach all the devices with the LAN but  Im not able to browse the web. When I enable the split tunnel Im able  to browse the web but then Im not able to reach any internal device.
  Here is part of the show run:
  object network RedInterna
  subnet 150.211.101.0 255.255.255.0
  description Red Interna
  object network NETWORK_OBJ_10.4.1.0_28
  subnet 10.4.1.0 255.255.255.240
  access-list inside_access_in extended permit ip object RedInterna any
  access-list VPN_INTERNET standard permit 150.211.101.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool VPN_POOL 10.4.1.1-10.4.1.14 mask 255.255.255.240
  failover
  failover lan unit secondary
  failover lan interface fail-1 GigabitEthernet0/2
  failover key *****
  failover interface ip fail-1 10.3.1.21 255.255.255.252 standby 10.3.1.22
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-66114.bin
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static any any destination static  NETWORK_OBJ_10.4.1.0_28 NETWORK_OBJ_10.4.1.0_28 no-proxy-arp  route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 187.217.68.145 1
  route inside 10.0.0.0 255.0.0.0 10.1.1.78 1
  route inside 150.211.0.0 255.255.0.0 10.1.1.78 1
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_VPN_ internal
  group-policy GroupPolicy_VPN_ attributes
  wins-server none
  dns-server value 8.8.8.8
  vpn-tunnel-protocol ssl-client
  default-domain value dominio.com.mx
  tunnel-group VPN_ type remote-access
  tunnel-group VPN_ general-attributes
  address-pool VPN_POOL
  default-group-policy GroupPolicy_VPN_
  tunnel-group VPN_ webvpn-attributes
  group-alias VPN_ enable
  I´m not sure if Im missing some small details or setup. Any help will be highly appreciated.
  Thanks!!!

  Hi,
  When you are using Full Tunnel VPN (which is the default setting) you will have a couple of things that you need to configure on the ASA.
  First, the ASA by default won't allow traffic to enter through an interface and then leave through that same interface. This is what essentially happens when the traffic from the VPN Client comes to the ASA and then heads out to the Internet.  In your case the traffic comes through the "outside" and leaves through the "outside" interface.
  You will need this command
  same-security-traffic permit intra-interface
  You can check if its enabled at the moment with the command
  show run same-security-traffic
  Second, the VPN users will need to have NAT configuration just like any LAN users behind the actual ASA. So you will essentially have to configure Dynamic PAT for traffic from "outside" to "outside"
  You can accomplish that with the following configuration
  object network VPN-PAT
  subnet 10.4.1.0 255.255.255.240
  nat (outside,outside) dynamic interface
  I would imagine that this should do it for you to be able to connect to the Internet and to the LAN network when the VPN is active.
  Hope this helps
  Let me know how it goes.
  - Jouni

• SonicWall Global VPN Client and Split tunneling

  Hello All,
  I searched Google and the forums here and can't find someone with the same problem.
  Lets start at the beginning-Just started this job a couple months ago and people brought to my attention immediately an issue while they were on the VPN they could not get to the internet.  I know about the different security risks but we have multiple field reps that need internet access while using our CRM program.  So I setup Split Tunneling on the Sonicwall. Tested and works fine on my home PC using a WRT54GS Ver 2.1 and the SonicWall Global VPN Client.
  So I was sure everything was fine until I just sent out 2 laptops to 2 different sales reps and they are both having the same issue.  They can get into the internal network but can't access the internet.  They are both on WRT54G (different Vers.).  I tested the VPN client on both laptops with tethering on my cell phone and the split tunneling works. I have tried updating firmware thinking that was the issue.  I also tried to put their home network on a different subnet.  All with no joy.  I was wondering if anyone ever ran into something like this or have any clues what to try next. 
  -Thank You in advance for your time.
  Message Edited by Chris_F on 01-11-2010 07:41 AM
  Chris F.
  CCENT, CCNA, CCNA Sec

  Of course, you do as you are told. But I hope you keep written record of what you have been told and have it signed of whoever told you to set it up. It's essential that you stay on the safe side in these matters.
  I have read of too many cases where the system/security admin did not do so and in the end was held responsible for security incidents simply because he was told to do something to jeopardize security of the network. Remember, that usually the person who tells you do to so has no idea about the full security implication of a decision.
  Thus, I highly recommend to require your road staff to connect with no split tunneling. Refuse to do otherwise unless you have it in writing and you won't be held reliable in any way if something happens because of it.
  Just think what happens if the whole customer database gets stolen because of one of the remote sales reps... There is a reason why you apply this web site blocking on your firewalls and there is absolutely no reason that would justify why your remote sale reps don't go through the very same firewall while accessing company-sensitive data in your CRM.
  So put that straight with whoever told you to do otherwise and if you they still want to continue anyway get it in writing. Once you ask for the statement in writing many decision-makers come to their senses and let you do your job at the best you can and for what you were hired... And if not, well, at least you got rid of the responsibility in that aspect.

• SSL VPN Full and Split Tunnel Config Question

  I am Beta testing SSLVPN on an IOS router. The question I have is this:
  Is it possiable to have slit and full tunnel configs. It seems that once you create your context and default profile that is all you have either split or full. The books say you can use Radius and assign different profiles but, I would like to give the users a choice (like in the VPN3000 .pcf) of either split or full depending on where they are working from.

  The below is an example using the ASA - but the principle remains the same:-
  http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080975e83.shtml
  HTH>

• Cisco 3745, VPN and Split Tunneling

  I tried following the model here: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a008018914d.shtml
  but after doing so, the situation was actually reversed. While connected to the vpn client you were able to browse the internet but not able to access vpn resources. I undid and redid the configuration several times to rule out keying in problems.
  Can one help with this problem... If needed Ill post necessary configs from my router.. Thanks
  (btw: do these froms have a search?)

  I am having the same problems with pix 501. With split tunnel, I get web but no lan access. Without split tunnel, full lan access, no web. My acl for the splitTunnel is:
  permit ip host 192.168.1.0 any
  Is this wrong?

• S-S VPN between ASA and ASR1001

  Hello
  we have 2 ASR routers at HQ connected to ISP and there are new remote sites that needs to be connected to HQ via site to site VPN. Each remote branch will have ASA, The outside IPs of both ASRs are in same subnet. 
  1. Is it possible to acheive redudancy in HQ side in this design ? 
  2. Can i create L2L tunnels to both ASRs ? If yes how can i make 1 tunnel active and other secondary ?
                                                                                                                      |ASR1
    Users--------L3SW--------ASA---------------ISP----------CPE---------------|
                                                                                                                      |ASR2
  Any suggestions are welcome
  Thanks

  There are two ways:
  Stateful Failover for IPsec
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-state-fail-ipsec.html
  http://packetlife.net/blog/2009/aug/17/fun-ipsec-stateful-failover/
  VPN-config with two peers an the ASA.
  Here you have two individual gateways on the HQ and the ASA has two tunnel-groups fr both gateways but only one sequence in the crypto-map. The peer-statement has both HQ-IPs configured.

• Issue bringing up VPN between ASA and Checkpoint - HELP

  Hi all
  We are having major issues bringing up a vpn between our ASA and third party checkpoint, it seems if the checkpoint initiates the connection it works, but if we initiate it from the ASA it doesnt come up.
  on the ASA I see the following
  any ideas what this is ?
  7
  Jan 30 2014
  11:52:03
  715065
  IP = 159.50.93.1, IKE MM Initiator FSM error history (struct &0x79c4bb68) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

  Phase 2 failures means several things:
  Encryption domain (interesting traffics) fail to match.  Checkpoint tends to supper net network together, by design,
  Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.
  Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:
  - output of "uname -a" and "fw ver"
  - is this Nokia, Windows or Secureplatform Checkpoint?
  - run the following commands on the firewall:  "debug ike off", "debug ike trunc"  and send you the ike.elg file.  That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong. 
  Disable/turn OFF kilobytes timeouts is not the solution. 

• Routable VPN Between ASA and Windows RRAS

  Hi all,
  I'm trying to figure out the best way to create a routable VPN between my production network and a small DR server that I have colo'd offsite.
  On the production side I have an ASA 5515-X (10.1.0.0/23) and on the DR side I have a Windows Server 2012 R2 server running RRAS, DHCP, NAT, and Hyper-V.  The DR server has a virtual environment with a subnet of 10.5.0.0/24 behind NAT (diagram attached for a visual).  I've seen some tutorials online for how to create a routable VPN between the two, some utilizing the Windows Advanced Firwall to create an IPSec tunnel.  So far, I've not been able to get the tunnel to come up.
  Before I spend even more time trying to troubleshoot this, I was wondering what the best way to create a secure connection between these two subnets is and if anybody has done something similar successfully.
  Thanks,
  Jason

  None yet, I've been stuck on this for a while now.  My latest attempt caused the DR site to go offline and required hands-on at the colo site to get it back online due to a bad ipsec policy, so I've backed off a bit on trying things.

• VPN between ASA and IOS router

  We have established a VPN tunnel between IOS router and ASA, however it i working only from the latter. What are the common dissimilarities whcih occur between these two devices when setting up VPN?

  Do a search for the following on cisco.com- "Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions"
  It should help fix any problems.
  HTH and please rate.

• IPSec and split tunneling

  Hi,
  One of my users need to work sometimes in second (not our) office and have access to printer. The problem is that the in the remote and local office there is the same network (10.0.0.0/24). VPN's policy distinguish network 10.0.0.0/24  that should go through the tunnel. The printer in the remote office has IP address 10.0.0.102. Is there any posibility to solve it ? I've tried with access-list:
  access-list SPLIT_TUNNEL_LIST standard deny host 10.0.0.102
  access-list SPLIT_TUNNEL_LIST standard permit 10.0.0.0 255.255.255.0
  but it doesn't work
  regards
  Hubert

  solved by NAT,
  regards

• IPsec VPN IOS - ASA

  Hi,
  I'm in the process of migrating some old IOS IPsec VPN configurations from IOS to ASA.
  What immediately becomes a problem is that there is no way to virtualize the routing tables on a single ASA. The original IOS setups uses separate VRF:s for each customers and therefore overlapping LAN networks or even VPN pools aint a problem.
  This has been in the past avoided (in other ASAs) by using default route for each customer interface on the ASA (with different metric). With this we can have overlapping LAN networks for the customer. Though the limit for the customer links become = metric value range. So basically even if we had an ASA with support for 1000 Vlans we still couldnt use this setup as we would run out of usable metric values for the default routes pointing to the customer links/networks.
  So looking at the above situation it seems we would just need to have a load of ASAs with support for 250 Vlans handling each customer groups and not a single ASA which could handle all the VPNs (if theres more than the mentioned approx. 250)
  Another option is I guess using a single link on the ASA for all the customer with a tunneled default route and handling the virtualisation on the core device by using PBR to route the packets to different VRF. This in turn would create alot of more configurations on the core device and a single VPN configuration/connection would become harder to manage.
  Has anyone run into a similiar situation and how have you handled it? Have you moved to another device manufacturer or sticked with the IOS perhaps? Its unfortunate that the ASA can't handle this by itself.
  - Jouni

  Hi,
  I've heard from our local Cisco contact that L2L VPN is coming. (Though in his words most people were waiting for Client VPN support, as were we) L2L VPN only provides minimal help to our situation as most connections are Client VPN.
  Basically the ultimate goal is to eventually migrate all IPsec Client VPN users to start using AnyConnect.
  The goal now is to get the old IPsec Client and L2L VPNs of the current device so we can remove the actual 6509/VPN/FWSM device from the network. (Because of the old hardware)
  Even though we have newer IOS devices in our network we would rather keep the Client VPN off the IOS devices. So the idea was to quickly move the Client VPNs to ASA and L2L VPN to another IOS device (by moving the L2L VPN peer IP address to the newer IOS device along with the configurations)
  We also started considering hosting the VPN services on a more high end device(s) which could support everything we need. In this case the ASA seemed a natural choice. Then again IOS gives alot more flexibility and the most important to us is the ability to virtualise routing.
  I've read that AnyConnect VPN has also come to IOS devices.
  Quick Google search gives this Cisco document
  http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080af314a.shtml#intro
  How is the AnyConnect on IOS compared to ASA? Would IOS devices at some point (or already?) become a viable option for hosting all the VPNs? (The use of AnyConnect and Clientless VPN has kept us away from continuing with IOS)
  Also on another note, I guess I missed one thing when writing the original post.
  I guess you can actually use specific routes on the ASA for the overlapping customer networks with different metrics (instead of the default routes with different metrics) This would enable you to handle the routing for more customer links than when simply using default routes towards each customer link with different metric. As now each network range could overlap on 255 customers.
  Heres a small sample of a lab configuration of that kind of situation
  interface GigabitEthernet0/0
  description TRUNK
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/0.1000
  description ASIAKAS-1
  vlan 1000
  nameif asiakas-1
  security-level 100
  ip address 172.32.100.2 255.255.255.0
  interface GigabitEthernet0/0.2000
  description ASIAKAS-2
  vlan 2000
  nameif asiakas-2
  security-level 100
  ip address 172.32.200.2 255.255.255.0
  route asiakas-1 10.10.10.0 255.255.255.0 172.32.100.1 1
  route asiakas-2 10.10.10.0 255.255.255.0 172.32.200.1 2
  group-policy ASIAKAS-1-GP attributes
  vlan 1000
  group-policy ASIAKAS-2-GP attributes
  vlan 2000
  Basically to my understanding in the above situation the "vlan xxxx" configuration under group-policy defines the eggress interface of the traffic from the VPN and therefore the route for vlan2000/GigabitEthernet0/0.2000 would apply in the case (and provide the next-hop IP) where the VPN user was connecting with a connection using group-policy ASIAKAS-2-GP
  I tested this setup and it seemed to work fine. Though this would naturally be an administrative nightmare to manage. (As would be the PBR solution mentioned in the original post)
  I'm not sure if I'm making any sense
  - Jouni

• ASA and VTI configuration

  Good morning experts,
  My experience with ASAs over the last few years has been limited so I am not up on all of the newer features that they offer. I know in the past that ASAs did not support any type of tunnel interfaces and thus did not support a VTI configuration like you can do on an IOS router.
  My problem is that I need to build a VPN tunnel between a few ASAs and a Juniper netscreen which many networks on each side that can not easily be summarized. Being able to build a route based VPN on the ASA would be very helpful as the crypto map could essentially be all zeros. Without this configuration, crypto IDs on both sides are going to get very complication very quickly.
  I can't seem to find any info on VTI configuration for the ASA which leads me to believe it doesn't exist. However a guy I work with that uses ASAs daily firmly believes that after version 8.4 this configuration is supported.
  Can anyone confirm please?
  Elton

  Dear Karthik ,
  I do not think the posted link contain what is elton looking for , actually I have few juniper firewalls and looking to replace them with ASA's but the problem is ASA did not support tow of our main requirements which is Route Based VPN through VTI , and GRE tunneling 
  I do not why Cisco did not support those features on ASA till now (as per my knowledge) most of firewall vendors support that