How do split tunnelling in VPNs work?

The most visible issue is where the client's default gateway goes. In a full tunnel, it moves to the far side of the tunnel. In the split tunnel, it stays local. The security risk of split tunneling is that the client is providing a bridging path for outside malicious traffic to leak across the tunnel, with no influence from the far end's firewall and IDS. The performance risk of full tunnels is that 3rd party outside traffic not terminating at the organization on the far side still has to take the tunnel, which can add latency, limit throughput, or increase packet loss. The best designs require balancing the network layout, uplink sizing, and security posture in concert.
-- Jim Leinweber, WI State Lab of Hygiene

Similar Messages

VPN split tunneling does not work with filtering enabled

I restricted our Windows VPN clients to reach only certain IPs and ports using filtering in their group policy. It works but I would like to add split tunneling for client's local Internet access. I temporary disabled filtering, unchecked the 'user default gateway on remote' box in properties of Windows VPN client, configured networks to be tunneled and it works. The moment I configure filters, my split tunneling does not tunnel the networks - they are not listed in Windows 'route print'. I change filtering to inherit or NONE and reconnect VPN and the tunneled networks show up again. I change filtering to a simple testing ACL/ACE and reconnect and they are gone again. Can I have split tunneling and filtering working simultaneously? Any help would be appreciated.

I'm not aware of any method named tokenize and there isn't one listing in
the alphabetic list of methods in the J2SE API. Perhaps you were thinking
of java.util.StringTokenizer, whose API contains this note:
StringTokenizer is a legacy class that is retained for compatibility reasons
although its use is discouraged in new code. It is recommended that anyone
seeking this functionality use the split method of String or the java.util.regex
package instead.

Unable to access inside network using Split tunnel RA VPN

Hi Everyone,
I configured RA Split tunnel VPN.
Connection works fine.
Inside Interface of ASA has connection to Switch IP 10.1.12.1.
When connected via RA VPN i try https://10.1.12.1 but it does not open up.
Inside Interface of ASA has IP 10.0.0.1
ASA1#                                                                         $
Session Type: IKEv1 IPsec Detailed
Username     : ipsec-user             Index        : 23
Assigned IP : 10.0.0.51              Public IP    : 192.168.98.2
Protocol     : IKEv1 IPsec
License      : Other VPN
Encryption   : IKEv1: (1)AES256 IPsec: (1)AES128
Hashing      : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx     : 2130969                Bytes Rx     : 259008
Pkts Tx      : 6562                   Pkts Rx      : 3682
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : ipsec-group            Tunnel Group : ipsec-group
Login Time   : 11:10:41 MST Sun Jan 26 2014
Duration     : 0h:40m:30s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none
IKEv1 Tunnels: 1
IPsec Tunnels: 1
IKEv1:
Tunnel ID    : 23.1
UDP Src Port : 62751                  UDP Dst Port : 500
IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys
Encryption   : AES256                 Hashing      : SHA1
Rekey Int (T): 86400 Seconds          Rekey Left(T): 83975 Seconds
D/H Group    : 2
Filter Name :
Client OS    : WinNT                  Client OS Ver: 5.0.07.0440
IPsec:
Tunnel ID    : 23.2
Local Addr   : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 10.0.0.51/255.255.255.255/0/0
Encryption   : AES128                 Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 26375 Seconds
Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
Bytes Tx     : 2137160                Bytes Rx     : 259088
Pkts Tx      : 6571                   Pkts Rx      : 3684
NAC:
Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
SQ Int (T)   : 0 Seconds              EoU Age(T)   : 2426 Seconds
Hold Left (T): 0 Seconds              Posture Token:
Redirect URL :
From ASA i can ping the switch IP
ASA1# ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1#
logs from firewall
Jan 26 2014 11:53:20: %ASA-6-302014: Teardown TCP connection 51636 for outside:10.0.0.51/50747(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:00:00 bytes 1075 TCP Reset-O (ipsec-user)
Jan 26 2014 11:53:20: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/50747 to 10.0.0.1/443 flags FIN ACK on interface outside
Why firewall logs show https connection to 10.0.0.1 instead of 10.1.12.1?
Regards
Mahesh

Hi Jouni,
ASA1# sh ip address
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 10.0.0.1        255.255.255.0   CONFIG
Vlan2                    outside                192.168.1.171   255.255.255.0   CONFIG
Vlan3                    sales                  10.12.12.1      255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 10.0.0.1        255.255.255.0   CONFIG
Vlan2                    outside                192.168.1.171   255.255.255.0   CONFIG
Vlan3                    sales                  10.12.12.1      255.255.255.0   CONFIG
Connection is split tunnel.
when i check stats on vpn client all i see bypassed packets.
ASA1#                                                       sh run group-polic$
group-policy ipsec-group internal
group-policy ipsec-group attributes
dns-server value 64.59.144.19
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value ipsec-group_splitTunnelAcl
Regards
Mahesh
Message was edited by: mahesh parmar

Split Tunneling Two VPN Clients On One Laptop?

I recently tried to check the properties of a folder on the network to see what the total file size of its contents was (on a Server 2008 R2 server, logged on using my domain admin account).The total size of the contents reported was ony 6 MB. This was a folder I knew to contain subfolders totalling in excess of 300 GB, so something wasn't right. When I drilled down a level, I realized that the subfolders would also not let me check their properties or browse to them until I elevated my access in a UAC prompt. Apparently, I don't have read access to those folders, even though Domain Admins has full access to them and I am a member of Domain Admins.All the subfolders are set to inherit permissions from the parent and checking their permissions individually confirms that Domain Admins does indeed have full access. Also, checking...

I'm trying to decide whether we should push to get Windows 10 Enterprise at it's extra costs vs getting only the free upgrade to Windows 10 Pro. I want to make sure I understand everything you get with Windows 10 Pro that is not available for Windows 10 Professional VL.I've already seen this chart on the Microsoft site, but I thinkthey have skipped orglossed over at least a few features:https://www.microsoft.com/en-us/WindowsForBusiness/CompareSome features we don't care about.Bitlocker:Since Windows 7 didn't have Bitlocker, we have already committed to third party encryption tools and use some of the features that gives you that Bitlocker does not such as assigning multiple preboot authentication IDs that can sync with active directory and being able to selectively enable or disable preboot authentication based on the location of the...

AnyConnect SSL VPN Vista split-tunneling

I recently setup an ASA5510 with 8.0fw with the AnyConnect SSL VPN Client.
Connecting to the SSL VPN works perfectly from all the XP computers that I have tested from. No problems there. However when on Vista, split-tunneling does not seem to function properly. Everything connects and works fine, and I can get to the defined secured remote nets, however I can't access anything out my default gateway(un-secured traffic). It seems like it might be a problem with Vista security features. When I try to ping out to any outside host, I get:
PING: transmit failed, error code 1231.
I can actually ping my default gateway, but nothing gets routed past it without the above error. I've also confirmed this several Vista installations, with Administrator + UAC disabled. Anyone else?

I have done the same testing, and on both Vista 32bit and 64Bit the split tunneling does not seem to work. Also I found that this is a "known" bug
From the Release Notes::
AnyConnect Split-tunneling Does Not Work on Windows Vista - AnyConnect split-tunneling works correctly with Windows XP and Windows 2000 (CSCsi82315)
I am happy that 64Bit works but will hold off on roll out until split-tunneling is fixed.
Cassidy

How to reduce the IPSec VPN connection establishment time

Hi,
I set up an IPSec VPN with NAT-T between two cisco router 871. In particular one router acts as a SERVER and the other one as a CLIENT. All the traffic coming from the hosts connected to the CLIENT-router is sent over the VPN (no split tunnel). Everything works perfectly.
The only problem is the amount of time the VPN takes to establish the first connection between the two routers. In particular it takes about two minutes.
Could anybody tell me if this amount of time can be reduced (with a partcular configuration instruction)?
Or this is the minimum amount of time required for the first connection establishment?
Thank you for your help.

Sara,
Two minutes sound like a lot of time even with a super slow Internet connection. Could you share your configs to see if there is anything on the VPN config that is adding such a huge delay? The connection stablishment shouldnt take more than a few seconds.
Thanks,
Raga

VPN Split-Tunneling not working

Hello,
First off - thanks to all who post here. I often browse the forums and search for help on here and its very useful, so a great pat on the back for everyone who contributes. My first time posting so here goes.....
I have my ASA 5505 v8.2 configured to allow AnyConnect. This is working. Client can connect and access the remote systems through VPN. What is causing me a massive headache is that the client loses internet connectivity. I have played around with my config somewhat so what I am about to post I know for certain is incorrect but any help is greatly appreciated.
Notes
1. The Router was set up for a standard site-to-site VPN which is no longer functional but as you can see all the settings are still in the router.
2. The router also has a DMZ setup to allow some clients access to the internet through it using the DMZ
CONFIGURATION:
ASA Version 8.2(5)
hostname MYHOST
enable password mUUvr2NINofYuSh2 encrypted
passwd UNDrnIuGV0tAPtz2 encrypted
names
name x.x.x.x AIME-SD
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.0.0
interface Vlan7
no forward interface Vlan1
nameif DMZ
security-level 20
ip address 137.57.183.1 255.255.255.0
ftp mode passive
clock timezone MST -7
object-group network obj_any_dmz
access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255                                                                                        .255.0
access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.25                                                                                        5.0
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list nonat
nat (DMZ) 10 137.57.183.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 64000
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set batus esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map batus 100 match address 10
crypto map batus 100 set peer AIME-SD
crypto map batus 100 set transform-set batus
crypto map batus interface outside
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=MYHOST
keypair ClientX_cert
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 0f817951
    308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105
    05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30
    1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d
    31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117
    30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648
    86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648
    86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430
    1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3
    4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9
    db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c
    783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886
    f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8
    b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821
    fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9
    7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3
    63ebd49d 30dd06f4 e0fa25
quit
crypto isakmp enable outside
crypto isakmp policy 40
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 DMZ
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy ClientX_access internal
group-policy ClientX_access attributes
vpn-tunnel-protocol svc
split-tunnel-network-list value split-tunneling
default-domain value access.local
address-pools value Internal_Range
ipv6-address-pools none
webvpn
svc mtu 1406
svc rekey time none
svc rekey method ssl
username ClientX password ykAxQ227nzontdIh encrypted privilege 15
username ClientX attributes
vpn-group-policy ClientX_access
service-type admin
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group ClientX type remote-access
tunnel-group ClientX general-attributes
address-pool Internal_Range
default-group-policy ClientX_access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy ClientX_access
tunnel-group ClientX_access type remote-access
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e7d92a387d1c5f07e14b3c894d159ec1
: end
Thank you for any help!!

Karsten!
That fixed my internet access problem. Yippee!
Unfortunately it seems to have broken my access to the internal network. Boo!
I can no longer access/ping anything on the internal IP range (192.168.101.x).
I assume this is a nat issue somewhere along the line. Posting the top half of my config for any assistance and the info requested by Raj (although VPN is connecting fine). Thank you both for your very prompt replies!!!
Short Config
object-group network obj_any_dmz
access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.255.0
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list nonat
nat (DMZ) 10 137.57.183.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 207.229.2.129 1
route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
Show vpn-sessiondb svc
Session Type: SVC
Username     : ClientX                 Index        : 9
Assigned IP : 192.168.101.125        Public IP    : x.x.x.x
Protocol     : Clientless SSL-Tunnel DTLS-Tunnel
License      : SSL VPN
Encryption   : RC4 AES128             Hashing      : MD5 SHA1
Bytes Tx     : 11662                  Bytes Rx     : 62930
Group Policy : ClientX_access          Tunnel Group : DefaultWEBVPNGroup
Login Time   : 22:40:56 MST Mon Jul 1 2013
Duration     : 0h:11m:08s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Cisco 871 to Cisco ASA 5545 Site-to-Site VPN Split Tunnel not working.

Tunnel comes up and can see and access protected traffic but cannot access web (Split Tunnel). Don't know if access problem or route issue.
Listed below is configuration for Cisco 871, any help very much appreciated.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key test address x.x.x.x
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set transform-set ESP-3DES-SHA
match address 100
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address 4.34.195.193 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 172.200.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1452
ip route 0.0.0.0 0.0.0.0 4.34.195.193 permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
logging trap debugging
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.200.1.0 0.0.0.255 172.16.2.0 0.0.0.255

I don't see any NAT configuration above. Check you can PING out to the internet (8.8.8.8 for example) from the router itself as it won't need NAT to PING from the outside interface.
Have a look at this document on setting up NAT for your inside devices:
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN

I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP. We have a DNS server set up in AWS for any DNS queries for the remote domain name.
My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query. Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?

Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):
access list rule:
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
nat rule:
nat (inside,outside) source static server interface service voip-range voip-range
- 'server' is a network object *
- 'voip-range' is a service group range
I'd assume you can do something similar here in combination with my earlier comment:
access-list incoming extended permit tcp any any eq 5900
Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities

For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode?
This is mostly a question, and partly "in use" observations.
Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel" mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode?
If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
Summary of VPN modes I've gotten to work with an RV220W:
Client
Split Tunnel Works?
Full Tunnel Works?
OS?
Notes
SSL VPN
Yes
Yes
Win7/64
IE10 or IE11
QuickVPN
Yes
No
Win7/64
IPSec VPN
Yes
No
Win7/64
Shrew Soft VPN Client

I have to mark this as not a correct answer.
Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
To Michal Bruncko who posted this:
1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way?

VPN Split Tunneling

Anyone familiar with setting up Split tunneling.
I have an Actiontec router and I'm trying to setup my work computer so it can access local network ressources and remain connected to the VPN connection to work at the same time.
My companies VPN does allow this and I have information on some settings that would need to be set but I'm not sure where and how to set them exactly.

The VPN client is set to allow split tunneling but requires me to make some changes outside of that client for it to work. I'm looking for someone who has experience with those settings. It's either in the router or in my internet settings but I can't seem to make either work with the information I have.

Split Tunnel VPN and routing public ip traffic

Hi Everyone,
I have my split tunnel vpn working well but I need to make an adjustment. We have a few systems in the "cloud" and we only allow access from our corporate WAN IP to those servers. I need to be able to access those servers via VPN connection to the office. I added that public IP subnet to my interesting traffic and the vpn client is sending the traffic across the VPN as expected. The issue is that it somehow drops out inside the firewall it seems. Almost like it doesn't know how to route that request back out to the internet using it's own default gateway. Any thoughts as to what I may be missing, here is some of the relevant code
same-security-traffic permit intra-interface
----Interesting Traffic------
access-list vpnpool standard permit 10.1.1.0 255.255.255.0
access-list vpnpool standard permit 10.31.26.0 255.255.255.0
access-list vpnpool standard permit 10.31.61.0 255.255.255.0
access-list vpnpool standard permit 10.31.3.128 255.255.255.192
access-list vpnpool standard permit 10.31.40.128 255.255.255.240
access-list vpnpool standard permit 10.31.40.64 255.255.255.192
access-list vpnpool standard permit 50.57.0.0 255.255.0.0 -- Network of cloud servers
---Natting----------
global (outside) 1 71.174.57.78
global (dmz) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 10.1.1.0 255.255.255.0
nat (qa) 1 200.200.200.0 255.255.255.0
nat (dmz) 1 10.1.11.0 255.255.255.0
nat (dmz2) 1 192.168.1.0 255.255.255.0
---Rules and Gateway-------
access-group inbound in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 71.174.57.1 1
---VPN-----
group-policy xxx-remote internal
group-policy xxx-remote attributes
wins-server value 10.1.1.5
dns-server value 10.1.1.5 10.1.1.6
vpn-idle-timeout 60
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnpool
default-domain value xxx.local
split-dns value xxxx.local
service-type remote-access
tunnel-group xxx-vpn type remote-access
tunnel-group xxx-vpn general-attributes
address-pool vpnpool
authentication-server-group (outside) RADIUS
authentication-server-group (dmz) RADIUS
default-group-policy xxx-remote
tunnel-group xxx-vpn ipsec-attributes
pre-shared-key xxxxx

That was my mistake, I am mixing up code here. The fun of switching between new and old ASA code as well as routers
Let's do it this way, this should fix the problem. Put the NAT command the way it was as follows:
nat (Outside) 1 10.1.10.0 255.255.255.0
Now we add a NAT0 for the Outside interface. You can reuse the ACL we made if you want or make a new one, your call since you have to administrate it.
no access-list VPN-NAT
access-list VPN-NAT0 permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.0.0.0
nat (Outside) 0 access-list VPN-NAT0
Now, this should properly NAT the traffic going to the Internet while excluding the traffic destined for your 10.0.0.0/8 subnet using the Nat 0.
Sorry for the round about fix, but that should take care of it.

Remote Access VPN, no split tunneling, internet access. NAT translation problem

Hi everyone, I'm new to the forum. I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices. The configuration has been working without issues for the last couple years.
I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
I reviewed the new NAT rules for the VPN and found the culprit.
I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
Here are the NAT rules I have in place: (The "inactive" rule is the culprit. As soon as I enable this rule, the port forwarding hits a wall)
nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source dynamic VPN_Subnet interface inactive
object network obj_any
nat (inside,outside) dynamic interface
object network XXX_HTTP
nat (inside,outside) static interface service tcp www www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Any help would be appreciated.

Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
With Regards,
Safwan

AnyConnecy VPN and Split-tunnel ACL - Strange...

Hi,
I have ACL as follows and applied on AnyConnect VPN group as split-tunel value ACL.
access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq www
access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq https
When I connected with AnyConnect client, I can ping to 192.168.200.63 and also telnet to port 80. However I can not telnet to port 443. Strange thing is I do not see any hits on above ACL, morever I'm wondering how cam the ICMP is working and why it does not stop on this ACL..?
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x78e03140, priority=11, domain=permit, deny=true
        hits=113713, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any
When I did the packet-tracer both ICMP and http it just drop on Phase 4..as bellow, I just want to know what this ACL and where its been applied to..?
What is the correct syntax for packet-tracer command when troubleshooting AnyConnect VPN to check access inside/dmz server..?
I have used as follows:
packet-tracer input outside icmp 172.16.1.1 0 8 192.168.200.63 details
Appreciate if someone can help me out on this..
thanks

To start with it is not ideal to configure a port based split tunnel. It is not support and will give you weird results like one you are experiencing. You should use standard access-list for the split tunnel and to restrict the users to the following port use vpn filter.
As far as packet tracer is concerned for the VPN client if you use the outside interface as source it will never work the reason is the connection between the ASA and the client is of real IP address (Public) and the traffic that you are testing with is a VPN encrypted traffic your ASA's outside interface doesn't know what is 172.16.1.1, he will check it against the outside access-list and will drop it.
So in your case i would strongly recommed that use standard access-list for the split tunnel and to restrict the user to specific port use vpn filter. Following are the links to configure the same:
Allow Split Tunnel for Anyconnect:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
Configure VPN filter (Its for site to site and remote access but it works the same for Anyconnect):
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
Thanks
Jeet Kumar

How to set up Split Tunneling on ASA 5505

Good Morning,
I have an ASA 5505 with security plus licensing. I need to set up split tunneling on the ASA and not sure how. I am very new to Cisco but am learning quickly. What I want to accomplish, if possible is to send all traffic to our corporate web site (static ip address) straight out to the internet and all other traffic to go though the tunnel as normal. Basically we have a remote office that is using a local ISP to provide internet service. IF our connection at the main office goes down, we want the branch office to still be able to get to our corporate website without having to unplug cables and connect their computer directly to the local ISP modem. Any help with be greatly appriciated. Thanks in advance. Below is a copy of our current config.
ASA Version 7.2(4)
hostname TESTvpn
enable password rBtWtkaB8W1R3ub8 encrypted
passwd rBtWtkaB8W1R3ub8 encrypted
names
name 10.0.0.0 Corp_LAN
name 192.168.64.0 Corp_Voice
name 172.31.155.0 TESTvpn
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Corp_Voice
security-level 100
ip address 172.30.155.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
object-group network SunVoyager
network-object host 64.70.8.160
network-object host 64.70.8.242
object-group network Corp_Networks
network-object Corp_LAN 255.0.0.0
network-object Corp_Voice 255.255.255.0
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 any
access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0 any
access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
access-list VPN extended permit ip TESTvpn 255.255.255.0 any
access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
pager lines 24
logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Corp_Voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list data-vpn
nat (inside) 1 TESTvpn 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Corp_Voice) 0 access-list voice-vpn
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Corp_Voice_access_in in interface Corp_Voice
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http TESTvpn 255.255.255.0 inside
http Corp_LAN 255.0.0.0 inside
http 65.170.136.64 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 66.170.136.65
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh Corp_LAN 255.0.0.0 inside
ssh TESTvpn 255.255.255.0 inside
ssh 65.170.136.64 255.255.255.224 outside
ssh timeout 20
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd option 150 ip 192.168.64.4 192.168.64.3
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 10.10.10.7 10.10.10.44 interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside
dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
dhcpd domain sun.ins interface Corp_Voice
dhcpd enable Corp_Voice
username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
tunnel-group 66.170.136.65 type ipsec-l2l
tunnel-group 66.170.136.65 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:953e50e9cbc02e1b264830dab4a3f2bd
: end

So I tried to use the exclude way that you suggested. Here is my new config. It is still not working. The address I put in for the excluded list was 4.2.2.2 and when I do a trace route to it from the computer, it still goes though the vpn to the main office and out the switch at the main office and not from the local isp. Any other suggestions?
hostname TESTvpn
domain-name default.domain.invalid
enable password rBtWtkaB8W1R3ub8 encrypted
passwd rBtWtkaB8W1R3ub8 encrypted
names
name 10.0.0.0 Corp_LAN
name 192.168.64.0 Corp_Voice
name 172.31.155.0 TESTvpn
interface Vlan1
nameif inside
security-level 100
ip address 172.31.155.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Corp_Voice
security-level 100
ip address 172.30.155.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network SunVoyager
network-object host 64.70.8.160
network-object host 64.70.8.242
object-group network Corp_Networks
network-object Corp_LAN 255.0.0.0
network-object Corp_Voice 255.255.255.0
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 a
ny
access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0
any
access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
access-list VPN extended permit ip TESTvpn 255.255.255.0 any
access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list TEST standard permit host 4.2.2.2
pager lines 24
logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Corp_Voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list data-vpn
nat (inside) 1 TESTvpn 255.255.255.0
nat (Corp_Voice) 0 access-list voice-vpn
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Corp_Voice_access_in in interface Corp_Voice
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http TESTvpn 255.255.255.0 inside
http Corp_LAN 255.0.0.0 inside
http 65.170.136.64 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 66.170.136.65
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh Corp_LAN 255.0.0.0 inside
ssh TESTvpn 255.255.255.0 inside
ssh 65.170.136.64 255.255.255.224 outside
ssh timeout 20
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd option 150 ip 192.168.64.4 192.168.64.3
dhcpd address 172.31.155.10-172.31.155.30 inside
dhcpd dns 10.10.10.7 10.10.10.44 interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside
dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
dhcpd domain sun.ins interface Corp_Voice
dhcpd enable Corp_Voice
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy excludespecified
split-tunnel-network-list value TEST
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
tunnel-group 66.170.136.65 type ipsec-l2l
tunnel-group 66.170.136.65 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b3caaecf2a0dec7334633888081c367
: end

How do split tunnelling in VPNs work?

Similar Messages

Maybe you are looking for