How to set up Split Tunneling on ASA 5505

Similar Messages

• How to set switch 2900, c3550 or ASA to send traps to monitoring server

  how to set switch 2900, c3550 or ASA to send traps to BB monitoring server?
  is it just snmp-server enable etc?

  You're on the right track.
  Please refer to the following Cisco document for a detailed explanation:
  Cisco IOS SNMP Traps Supported and How to Configure Them

• Multiple IPSEC tunnels on ASA 5505

  Configuring Multiple IPSEC tunnels on ASA 5505
  Hi,
  I  need to configure 2 diffrent type of IPSEC tunnels on my ASA 5505.  1st one is static ipsec tunnel already  configured between HO to site A and  2nd one is dynamic  to be configure between HO to site B since site B does not have static IP so I have to configure dynamic ipsec vpn.
  I have following  clarification
  1. After configuring dynamic ipsec Is my existing static ipsec tunnel will work simultenously?
  2. can I apply different crypmap on the same outside interface? if not then what setting i need to do to make this work?
  3. Do i need to create 1 more Nat0 or can i add in existing ACL which i have already created for previous.
  kindly help me on this
  Thanks in advance
  Subhan Shaikh
  France Telecom

  Configuring Multiple IPSEC tunnels on ASA 5505
  Hi,
  I  need to configure 2 diffrent type of IPSEC tunnels on my ASA 5505.  1st one is static ipsec tunnel already  configured between HO to site A and  2nd one is dynamic  to be configure between HO to site B since site B does not have static IP so I have to configure dynamic ipsec vpn.
  I have following  clarification
  1. After configuring dynamic ipsec Is my existing static ipsec tunnel will work simultenously?
  2. can I apply different crypmap on the same outside interface? if not then what setting i need to do to make this work?
  3. Do i need to create 1 more Nat0 or can i add in existing ACL which i have already created for previous.
  kindly help me on this
  Thanks in advance
  Subhan Shaikh
  France Telecom

• How to Add Cisco 861's behind ASA 5505

  I will be setting up a VPN with a client soon.  They are shipping 2 Cisco 861's that are planning to go behind our ASA 5505.  They are set up to be NATed.
  I am trying to understand what the best way to do this would be as I seem to keep running into limitations of the ASA 5505.
  Our ASA has a public IP of 2.1.2.14/30 assigned to it's outside interface.
  The public IPs to be NATed to the 861's are 2.1.2.218 and 2.1.2.219/29.
  1. How can I assign this seperate public IP block to the ASA? Is it even possible?
  2. If not possible, what would other options be?
  3. Would an upgraded license that allows for additional interfaces make this easier? (I would not do the NATing then, just assign the new public IP block to another interface)
  Appreciate any help or suggestions.

  Hi,
  I personally run into these situations too and more than one occasion the users start to run into different kind of problems when they got additional hardware on their LAN that we dont manage.
  If you HAVE to do this as you described I would need some additional information
  What software version is your ASA?
  Do you have a Base License version of the ASA5505?Can confirm this with "show version" command
  In the original post, do you mean that you have a small link network (/30) with the ISP and that the ISP has also provided you with a small subnet for NAT purposes (/29)
  The first thing mentioned above would be needed to confirm what NAT format to use.
  Otherwise if the following 2 are true then there should be no problem using the additional IP address range on your ASA5505 firewall.
  There are 2 ways to go.
  Option 1.
  Make sure that the ISP has routed the additional /29 network towards your ASA5505 "outside" IP address
  Now just configure the needed NAT configurations (can naturally help with the configurations when I know the software level of the ASA)Notice that the additional public subnet doesnt need to be configured on any interface of the ASA. You can just configure NATs using those IP addresses as usual. The critical thing here is that the ISP has routed the network towards your ASA and HAS NOT configured this additional /29 subnet on their gateway as a secondary network.
  Option 2.
  Even if you have the ASA5505 at Base License you can still configure 3 interfaces on the ASA5505. The one thing to notice here is that you need to configure the "no forward interface Vlanx" to the third Vlan interface which will prevent this third Vlan from connecting to networks behind the interface Vlanx. This however doesnt stop Vlanx from connecting to networks behind third Vlan interface.This might provide a possibility to use the WAN side of the VPN routers on the third interface of the ASA since they you can limit their connectivity to the "inside" Vlan and this would mean they could still connect to "outside"
  Hopefully I made any sense. Please ask more if I was unclear about something above (which might be possible )
  - Jouni

• How Many Watts Do We Need? ASA 5505

  My ASA 5505 getting pretty hot after a while and so I used a wattmeter to find out what´s happening.
  260 watts is quite a lot if the device is running in idle mode and has no active device attached nor any config has been installed.
  What's your experience of the ASA 5505 power consumption ?
  Thanks

  The PSU says output 48V DC 2.08A, which gives me around 100watts usage, so that would create alot of heat if the psu is burning 160 watts of in the ac/dc conversion. I have no measurements on my own, but i am definately not expecting that level of power usage

• Creating Second tunnel in asa 5505 to accept from PIX506

  One Cisco PIX at datacentre(remote) and one asa5505 and one PIX 506E at my office both are creating VPN to data centre but now i need to access asa n/w from pix n/w which are in the same LAN..

  You should be able to implement policy NAT on one or both sides to accomplish what you want to do.
  - James

• VPN Split Tunneling

  Anyone familiar with setting up Split tunneling.
  I have an Actiontec router and I'm trying to setup my work computer so it can access local network ressources and remain connected to the VPN connection to work at the same time.
  My companies VPN does allow this and I have information on some settings that would need to be set but I'm not sure where and how to set them exactly.

  The VPN client is set to allow split tunneling but requires me to make some changes outside of that client for it to work. I'm looking for someone who has experience with those settings. It's either in the router or in my internet settings but I can't seem to make either work with the information I have.

• Unable to establish site to site vpn between asa 5505 an 5510

  Hi ALL expert
  We are now plan to form a site to site IPSec VPN tunnel between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failure, would you please teach me how to establish it? Any reference guide?
  Hugo

  Here are the links to the cisco config-guides:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html
  In addition to VPN you need to look into NAT exemption:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1043541
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wpxref25608
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html#wp1232160
  And lots of examples:
  http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN

  I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
  The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP.  We have a DNS server set up in AWS for any DNS queries for the remote domain name.
  My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
  I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query.  Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
  Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?

  Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface.  Try to be more restrictive than an '...ip any any' rule for outside_in connections.  For instance, this is what I have for incoming VOIP (access list and nat rules):
  access list rule:
  access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
  nat rule:
  nat (inside,outside) source static server interface service voip-range voip-range
  - 'server' is a network object *
  - 'voip-range' is a service group range
  I'd assume you can do something similar here in combination with my earlier comment:
  access-list incoming extended permit tcp any any eq 5900
  Can you explain your forwarding methodology a little more?  I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to.  Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

• RA VPN on ASA and Split Tunneling

  Hello Forum,
  I'm having an issue with RA VPN and split tunneling. Our company doesn't allow split tunneling.
  I have the following....
  ASA 5520 - ASA Version - 8.0(3)
  Group Policies defined for different groups. My test group, I thought I disabled split tunneling but they are still able to surf the net.
  For Split Tunneling Policy...
  Inherit is unchecked
  I have "Tunnel Network List Below"
  Testing_splitTunnelAcl is my acl. I have a bunch of host IPs in the list. I don't have any or 0.0.0.0 in the list.
  But they can still surf the net.
  I would like to block access to net. No hairpinning or internet u-turns.
  How do I do this?
  Any help greatly appreciated.
  Regards,

  What does your Testing_spliTunnelAcl have?
  To disable split tunneling, your Testing_spliTunnelAcl should only have this...
  access-list Testing_splitTunnelAcl standard permit any
  ...which means all traffic will be encrypted and will be sent to ASA no matter what. If you add any IP Address, only those traffic destined to the IP Address in the list will be encrypted and send to ASA, everything else will go to internet from the client.
  It may be confusing but try and see what happens.

• ASA 5520 Version 8.2(1) Split tunnel enable Process

  Hi,
  We have configured a cisco ASA 5520 firewall as a remote VPN. Remote VPN user connected properly but VPN user disconnected form internet. So we need to configure split tunnel. Please help us how to configure split tunnel and require parameters/field. Thanks...

  Hi,
  The setup is usually pretty easy
  First you should create a Standard ACL that defines the networks which are found behind the VPN connection from the users perspective. In other words the networks that need to be tunneled.
  For example if your LAN networks was 10.0.0.0/24
  access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
  Then you would need to configure some additional things in your VPN client connections "group-policy"
  For example
  group-policy CLIENT attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SPLIT-TUNNEL
  The above would essentially handle the Split Tunnel portion of the configurations. The "split-tunnel-policy" command specifies how the network selection for the VPN is handled. It might aswell be configured to specify Full Tunnel or to simply Exclude some networks. The "split-tunnel-network-list value" command tells the ASA the networks used in the Split Tunnel (the ACL we created)
  Hope this helps
  - Jouni

• Help With split tunneling and multiple subnets behind asa

  Hello All,
  our vpn clients can no longer access internet while connected to vpn.
  I was hoping I could get an answer on here for an issue we are having. let me explain this with as little words as possible.
  here was old network layout:
  ASA
  192.168.1.1   ---->  the rest of the internal subnet (was only subnet in network)
  now
  ASA                              3560
  192.168.254.1/24 ----->192.168.254.2/24-->192.168.1.1/24
                                                                 192.168.2.1/24
  so what we did was route from 3560 to asa  so we would be able to have multiple subnets since our asa has base license.
  Our vpn with easy connect worked with our split tunneling before and now we made the change above and it no longer works. Can someone help me out as to why it no longer works and what changed need to be made to make it work.
  Thank you.
  ciscoasa# sh run
  : Saved
  ASA Version 8.2(2)
  hostname ciscoasa
  enable password 1N7bTm05RXLnBcUc encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.254.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  ftp mode passive
  clock timezone est -5
  same-security-traffic permit intra-interface
  access-list NoNat extended permit ip any 172.16.5.0 255.255.255.0
  access-list SplitTunnel standard permit 192.168.1.0 255.255.255.0
  access-list SplitTunnel standard permit 192.168.2.0 255.255.255.0
  access-list SplitTunnel standard permit 192.168.254.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNPool 172.16.5.1-172.16.5.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NoNat
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  route inside 192.168.1.0 255.255.255.0 192.168.254.2 1
  route inside 192.168.2.0 255.255.255.0 192.168.254.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TransformSet1 esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map DynamicMap1 1 set transform-set TransformSet1
  crypto map MainMap 999 ipsec-isakmp dynamic DynamicMap1
  crypto map MainMap interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 64.90.182.55 source outside
  webvpn
  enable outside
  svc image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1
  svc enable
  tunnel-group-list enable
  group-policy RenotreUsers internal
  group-policy RemoteUsers internal
  group-policy RemoteUsers attributes
  vpn-tunnel-protocol svc webvpn
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SplitTunnel
  tunnel-group RemoteUsers type remote-access
  tunnel-group RemoteUsers general-attributes
  address-pool VPNPool
  default-group-policy RemoteUsers
  tunnel-group RemoteUsers webvpn-attributes
  group-alias Southeast-Security-VPN enable
  tunnel-group RemoteUsers ipsec-attributes
  pre-shared-key *****

  I think it could be your NAT statement. You should try an avoid using any unless you tunnel everything. Try making this change
  no access-list NoNat extended permit ip any 172.16.5.0 255.255.255.0
  object-group network INTERNAL_NETWORKS
  description Internal Networks
  network-object 192.168.1.0 255.255.255.0
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.254.0 255.255.255.0
  access-list NoNat extended permit ip object-group INTERNAL_NETWORKS 172.16.5.0 255.255.255.0
  You may have to re-add your NAT0
  nat (inside) 0 access-list NoNat

• Cisco 871 to Cisco ASA 5545 Site-to-Site VPN Split Tunnel not working.

  Tunnel comes up and can see and access protected traffic but cannot access web (Split Tunnel). Don't know if access problem or route issue.
  Listed below is configuration for Cisco 871, any help very much appreciated.
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2  
  crypto isakmp key test address x.x.x.x
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
  crypto map SDM_CMAP_1 1 ipsec-isakmp 
   description Tunnel to x.x.x.x
   set peer x.x.x.x
   set transform-set ESP-3DES-SHA 
   match address 100
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
   ip address 4.34.195.193 255.255.255.192
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip route-cache flow
   duplex auto
   speed auto
   crypto map SDM_CMAP_1
  interface Vlan1
   description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
   ip address 172.200.1.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip route-cache flow
   ip tcp adjust-mss 1452
  ip route 0.0.0.0 0.0.0.0 4.34.195.193 permanent
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  logging trap debugging
  access-list 100 remark SDM_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 172.200.1.0 0.0.0.255 172.16.2.0 0.0.0.255

  I don't see any NAT configuration above. Check you can PING out to the internet (8.8.8.8 for example) from the router itself as it won't need NAT to PING from the outside interface.
  Have a look at this document on setting up NAT for your inside devices:
  http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

• How to set up NAT for two servers using same port with ASDM ASA 5505

  Hi there,
  We have a new installation of a ASA 5505 and are trying to get some NAT issues straightened out. Here is the scenario: On our internal network, we have two servers running Filemaker Server, a relational database server that clients connect with using port 5003. Our goal is to be able to allow users from the outside to access either of these servers as needed. I know how to set up a simple static NAT rule and matching Access rule in ASDM which would be fine for a case in which only one server using a given port is running on a network, but for simple static rules I seem to be blocked from entering a different translated port number from the orginal port number, which becomes a problem when two servers we need to access from the outside are running software using the same port number.
  What is the simplest way to address this need? I am guessing that I need to set up a scenario like this, where port 5004 (or any arbitrarily choosen unused port, can be used to access the second server:
  Outside user enters   FQDN:5004  and this translates to Database server # 1 as   192.168.1.40:5003
  and
  Outside user enters   FQDN:5003  and this translates to Database server # 1 as   192.168.1.38:5003
  If so, what is the easist way to get this done? Or is there a better what to handle this scenario?
  Thanks in advance,
  James

  I would create two objects and use object NAT
  object network Obj_5004
  host 192.168.1.40
  object network Obj_5004
  nat (inside,outside) static service tcp 5003 5004
  object network Obj_5003
  host 192.168.1.38
  object network Obj_5003
  nat (inside,outside) static service tcp 5003 5003
  Of course you will need to open your outside interface for tcp ports 5003 and 5004 to make this happen

• How do split tunnelling in VPNs work?

  How do split tunnelling in VPNs  work?

  The most visible issue is where the client's default gateway goes.  In a full tunnel, it moves to the far side of the tunnel.  In the split tunnel, it stays local.  The security risk of split tunneling is that the client is providing a bridging path for outside malicious traffic to leak across the tunnel, with no influence from the far end's firewall and IDS.  The performance risk of full tunnels is that 3rd party outside traffic not terminating at the organization on the far side still has to take the tunnel, which can add latency, limit throughput, or increase packet loss.   The best designs require balancing the network layout, uplink sizing, and security posture in concert.
  -- Jim Leinweber, WI State Lab of Hygiene