AnyConnecy VPN and Split-tunnel ACL - Strange...

Similar Messages

• Cisco 3745, VPN and Split Tunneling

  I tried following the model here: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a008018914d.shtml
  but after doing so, the situation was actually reversed. While connected to the vpn client you were able to browse the internet but not able to access vpn resources. I undid and redid the configuration several times to rule out keying in problems.
  Can one help with this problem... If needed Ill post necessary configs from my router.. Thanks
  (btw: do these froms have a search?)

  I am having the same problems with pix 501. With split tunnel, I get web but no lan access. Without split tunnel, full lan access, no web. My acl for the splitTunnel is:
  permit ip host 192.168.1.0 any
  Is this wrong?

• IP Phone SSL VPN and Split tunneling

  Hi Team,
  I went throught the following document which is very useful:
  https://supportforums.cisco.com/docs/DOC-9124
  The only things i'm not sure about split-tunneling point:
  Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  I could see many implementation when they used split-tunneling, like one of my customer:
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  banner value This system is only for Authorized users.
  dns-server value 10.64.10.13 10.64.10.14
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value prod.mobily.lan
  address-pools value SSLClientPool
  webvpn
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask none default anyconnect
  username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
  username manager-max attributes
  vpn-group-policy GroupPolicy1
  tunnel-group PhoneVPN type remote-access
  tunnel-group PhoneVPN general-attributes
  address-pool SSLClientPool
  authentication-server-group AD
  default-group-policy GroupPolicy1
  tunnel-group PhoneVPN webvpn-attributes
  group-url https://84.23.107.10 enable
  ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
  access-list split-tunnel remark split-tunnel network list
  access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
  It is working for them w/o any issue.
  My question would be
  - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
  Thanks!
  Eva

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• RA VPN on ASA and Split Tunneling

  Hello Forum,
  I'm having an issue with RA VPN and split tunneling. Our company doesn't allow split tunneling.
  I have the following....
  ASA 5520 - ASA Version - 8.0(3)
  Group Policies defined for different groups. My test group, I thought I disabled split tunneling but they are still able to surf the net.
  For Split Tunneling Policy...
  Inherit is unchecked
  I have "Tunnel Network List Below"
  Testing_splitTunnelAcl is my acl. I have a bunch of host IPs in the list. I don't have any or 0.0.0.0 in the list.
  But they can still surf the net.
  I would like to block access to net. No hairpinning or internet u-turns.
  How do I do this?
  Any help greatly appreciated.
  Regards,

  What does your Testing_spliTunnelAcl have?
  To disable split tunneling, your Testing_spliTunnelAcl should only have this...
  access-list Testing_splitTunnelAcl standard permit any
  ...which means all traffic will be encrypted and will be sent to ASA no matter what. If you add any IP Address, only those traffic destined to the IP Address in the list will be encrypted and send to ASA, everything else will go to internet from the client.
  It may be confusing but try and see what happens.

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan

• Help with Easy VPN client split tunneling.

  Can someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
  Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
  I created an object-group and access list with the hosts I want to route thou the VPN :-
  object-group network VNPCLIENTS
  description HOSTS ALLOWED ACCESS TO THE VPN
  host 192.168.3.204
  host 192.168.3.42
  host 192.168.3.44
  host 192.168.3.202
  host 192.168.3.43
  access-list 1 remark Internet access list
  access-list 1 permit 192.168.3.0 0.0.0.255
  access-list 101 remark Hosts allowed access to VPN
  access-list 101 permit ip object-group VNPCLIENTS any
  access-list 111 permit udp any any eq 3074
  access-list 111 permit tcp any any eq 3074
  access-list 111 permit udp any any eq 88
  I Then applied the access list to the Virtual interface of the VPN in both directions:-
  interface Virtual-Template1 type tunnel
  no ip address
  ip access-group 101 in
  ip access-group 101 out
  tunnel mode ipsec ipv4
  Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
  I must be doing something very wrong. Much appreciate any help.
  Thanks
  Gordon

  Can someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
  Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
  I created an object-group and access list with the hosts I want to route thou the VPN :-
  object-group network VNPCLIENTS
  description HOSTS ALLOWED ACCESS TO THE VPN
  host 192.168.3.204
  host 192.168.3.42
  host 192.168.3.44
  host 192.168.3.202
  host 192.168.3.43
  access-list 1 remark Internet access list
  access-list 1 permit 192.168.3.0 0.0.0.255
  access-list 101 remark Hosts allowed access to VPN
  access-list 101 permit ip object-group VNPCLIENTS any
  access-list 111 permit udp any any eq 3074
  access-list 111 permit tcp any any eq 3074
  access-list 111 permit udp any any eq 88
  I Then applied the access list to the Virtual interface of the VPN in both directions:-
  interface Virtual-Template1 type tunnel
  no ip address
  ip access-group 101 in
  ip access-group 101 out
  tunnel mode ipsec ipv4
  Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
  I must be doing something very wrong. Much appreciate any help.
  Thanks
  Gordon

• SonicWall Global VPN Client and Split tunneling

  Hello All,
  I searched Google and the forums here and can't find someone with the same problem.
  Lets start at the beginning-Just started this job a couple months ago and people brought to my attention immediately an issue while they were on the VPN they could not get to the internet.  I know about the different security risks but we have multiple field reps that need internet access while using our CRM program.  So I setup Split Tunneling on the Sonicwall. Tested and works fine on my home PC using a WRT54GS Ver 2.1 and the SonicWall Global VPN Client.
  So I was sure everything was fine until I just sent out 2 laptops to 2 different sales reps and they are both having the same issue.  They can get into the internal network but can't access the internet.  They are both on WRT54G (different Vers.).  I tested the VPN client on both laptops with tethering on my cell phone and the split tunneling works. I have tried updating firmware thinking that was the issue.  I also tried to put their home network on a different subnet.  All with no joy.  I was wondering if anyone ever ran into something like this or have any clues what to try next. 
  -Thank You in advance for your time.
  Message Edited by Chris_F on 01-11-2010 07:41 AM
  Chris F.
  CCENT, CCNA, CCNA Sec

  Of course, you do as you are told. But I hope you keep written record of what you have been told and have it signed of whoever told you to set it up. It's essential that you stay on the safe side in these matters.
  I have read of too many cases where the system/security admin did not do so and in the end was held responsible for security incidents simply because he was told to do something to jeopardize security of the network. Remember, that usually the person who tells you do to so has no idea about the full security implication of a decision.
  Thus, I highly recommend to require your road staff to connect with no split tunneling. Refuse to do otherwise unless you have it in writing and you won't be held reliable in any way if something happens because of it.
  Just think what happens if the whole customer database gets stolen because of one of the remote sales reps... There is a reason why you apply this web site blocking on your firewalls and there is absolutely no reason that would justify why your remote sale reps don't go through the very same firewall while accessing company-sensitive data in your CRM.
  So put that straight with whoever told you to do otherwise and if you they still want to continue anyway get it in writing. Once you ask for the statement in writing many decision-makers come to their senses and let you do your job at the best you can and for what you were hired... And if not, well, at least you got rid of the responsibility in that aspect.

• Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access

  Greetings,
  I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
  Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
  OR 
  Am I forced to put the ASA behind the filtering device somehow?

  Hi Jim,
  You can use tunnel default route for vpn traffic:
  ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
  configure mode commands/options:
    <1-255>   Distance metric for this route, default is 1
    track     Install route depending on tracked item
    tunneled  Enable the default tunnel gateway option, metric is set to 255
  This route is applicable for only vpn traffic.
  HTH,
  Shetty

• Issues with basic VPN setup and split tunneling

  I have created an SSL VPN to a CISCO ASA 8.6 running ASDM 6.6.
  Im able to connect to the VPN and reach all the devices with the LAN but  Im not able to browse the web. When I enable the split tunnel Im able  to browse the web but then Im not able to reach any internal device.
  Here is part of the show run:
  object network RedInterna
  subnet 150.211.101.0 255.255.255.0
  description Red Interna
  object network NETWORK_OBJ_10.4.1.0_28
  subnet 10.4.1.0 255.255.255.240
  access-list inside_access_in extended permit ip object RedInterna any
  access-list VPN_INTERNET standard permit 150.211.101.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool VPN_POOL 10.4.1.1-10.4.1.14 mask 255.255.255.240
  failover
  failover lan unit secondary
  failover lan interface fail-1 GigabitEthernet0/2
  failover key *****
  failover interface ip fail-1 10.3.1.21 255.255.255.252 standby 10.3.1.22
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-66114.bin
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static any any destination static  NETWORK_OBJ_10.4.1.0_28 NETWORK_OBJ_10.4.1.0_28 no-proxy-arp  route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 187.217.68.145 1
  route inside 10.0.0.0 255.0.0.0 10.1.1.78 1
  route inside 150.211.0.0 255.255.0.0 10.1.1.78 1
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_VPN_ internal
  group-policy GroupPolicy_VPN_ attributes
  wins-server none
  dns-server value 8.8.8.8
  vpn-tunnel-protocol ssl-client
  default-domain value dominio.com.mx
  tunnel-group VPN_ type remote-access
  tunnel-group VPN_ general-attributes
  address-pool VPN_POOL
  default-group-policy GroupPolicy_VPN_
  tunnel-group VPN_ webvpn-attributes
  group-alias VPN_ enable
  I´m not sure if Im missing some small details or setup. Any help will be highly appreciated.
  Thanks!!!

  Hi,
  When you are using Full Tunnel VPN (which is the default setting) you will have a couple of things that you need to configure on the ASA.
  First, the ASA by default won't allow traffic to enter through an interface and then leave through that same interface. This is what essentially happens when the traffic from the VPN Client comes to the ASA and then heads out to the Internet.  In your case the traffic comes through the "outside" and leaves through the "outside" interface.
  You will need this command
  same-security-traffic permit intra-interface
  You can check if its enabled at the moment with the command
  show run same-security-traffic
  Second, the VPN users will need to have NAT configuration just like any LAN users behind the actual ASA. So you will essentially have to configure Dynamic PAT for traffic from "outside" to "outside"
  You can accomplish that with the following configuration
  object network VPN-PAT
  subnet 10.4.1.0 255.255.255.240
  nat (outside,outside) dynamic interface
  I would imagine that this should do it for you to be able to connect to the Internet and to the LAN network when the VPN is active.
  Hope this helps
  Let me know how it goes.
  - Jouni

• SSL VPN Full and Split Tunnel Config Question

  I am Beta testing SSLVPN on an IOS router. The question I have is this:
  Is it possiable to have slit and full tunnel configs. It seems that once you create your context and default profile that is all you have either split or full. The books say you can use Radius and assign different profiles but, I would like to give the users a choice (like in the VPN3000 .pcf) of either split or full depending on where they are working from.

  The below is an example using the ASA - but the principle remains the same:-
  http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080975e83.shtml
  HTH>

• VM with remote access VPN without split tunneling

  Hello experts,
  I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network  to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
  My Question to Experts:
  1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
  2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
  Thanks for your help,
  Razi                

  Did you figure this out?

• Nokia mobile VPN Client - split tunneling

  Hi
  I'm trying to get Nokia mobile CPN Client working with split tunneling on a Cisco firewall.
  I have full access to all on my internal lan's when I make the VPN tunnel, so tunnel is up and working.
  But I do not have access to anything in the internet, it tries to route internet requests through the VPN. I have set split tunneling on the Cisco firewall and it is working as intended on all other devices.
  Any ideas of what I have missed?
  My policy is based on the bundled Cisco_ASA_pskxauth.pol from the Nokia mobile VPN Client Policy Tool.
  tsfts

  Hi vgta2k:
  Nokia 5530 XpressMusic is S60 5th edition phone.
  http://www.forum.nokia.com/Devices/Device_specific​ations/5530_XpressMusic/
  It runs different version of Nokia Mobile VPN client than Symbian^3. You can find the correct version at the download page:
  http://europe.nokia.com/support/download-software/​nokia-mobile-vpn/compatibility-and-download
  Just use the device selector and pick your phone.
  You can also find Nokia Mobile VPN Client nowadays at Ovi Store.
  Thanks,
  Ismo

• AnyConnect SSL VPN Vista split-tunneling

  I recently setup an ASA5510 with 8.0fw with the AnyConnect SSL VPN Client.
  Connecting to the SSL VPN works perfectly from all the XP computers that I have tested from. No problems there. However when on Vista, split-tunneling does not seem to function properly. Everything connects and works fine, and I can get to the defined secured remote nets, however I can't access anything out my default gateway(un-secured traffic). It seems like it might be a problem with Vista security features. When I try to ping out to any outside host, I get:
  PING: transmit failed, error code 1231.
  I can actually ping my default gateway, but nothing gets routed past it without the above error. I've also confirmed this several Vista installations, with Administrator + UAC disabled. Anyone else?

  I have done the same testing, and on both Vista 32bit and 64Bit the split tunneling does not seem to work. Also I found that this is a "known" bug
  From the Release Notes::
  AnyConnect Split-tunneling Does Not Work on Windows Vista - AnyConnect split-tunneling works correctly with Windows XP and Windows 2000 (CSCsi82315)
  I am happy that 64Bit works but will hold off on roll out until split-tunneling is fixed.
  Cassidy

• Is it possible to force some urls through the vpn using split tunneling?

  Hi all,
  just that. We have some urls accessible only from our office lan, and will be nice to allow the clients to split tunnel all but this specific urls.
  Possible? Thanks in advance!

  Simon,
  I was thinking that you were trying to reach a web server hosted on the LAN. I see now that you are trying to reach external sites that are only accessible from the LAN. I am not aware of any way to allow a partially split tunnel, if I find anything I will update.
  - Marty

• IPSec and split tunneling

  Hi,
  One of my users need to work sometimes in second (not our) office and have access to printer. The problem is that the in the remote and local office there is the same network (10.0.0.0/24). VPN's policy distinguish network 10.0.0.0/24  that should go through the tunnel. The printer in the remote office has IP address 10.0.0.102. Is there any posibility to solve it ? I've tried with access-list:
  access-list SPLIT_TUNNEL_LIST standard deny host 10.0.0.102
  access-list SPLIT_TUNNEL_LIST standard permit 10.0.0.0 255.255.255.0
  but it doesn't work
  regards
  Hubert

  solved by NAT,
  regards