IP Phone SSL VPN and Split tunneling

Similar Messages

• Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access

  Greetings,
  I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
  Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
  OR 
  Am I forced to put the ASA behind the filtering device somehow?

  Hi Jim,
  You can use tunnel default route for vpn traffic:
  ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
  configure mode commands/options:
    <1-255>   Distance metric for this route, default is 1
    track     Install route depending on tracked item
    tunneled  Enable the default tunnel gateway option, metric is set to 255
  This route is applicable for only vpn traffic.
  HTH,
  Shetty

• AnyConnect SSL VPN Vista split-tunneling

  I recently setup an ASA5510 with 8.0fw with the AnyConnect SSL VPN Client.
  Connecting to the SSL VPN works perfectly from all the XP computers that I have tested from. No problems there. However when on Vista, split-tunneling does not seem to function properly. Everything connects and works fine, and I can get to the defined secured remote nets, however I can't access anything out my default gateway(un-secured traffic). It seems like it might be a problem with Vista security features. When I try to ping out to any outside host, I get:
  PING: transmit failed, error code 1231.
  I can actually ping my default gateway, but nothing gets routed past it without the above error. I've also confirmed this several Vista installations, with Administrator + UAC disabled. Anyone else?

  I have done the same testing, and on both Vista 32bit and 64Bit the split tunneling does not seem to work. Also I found that this is a "known" bug
  From the Release Notes::
  AnyConnect Split-tunneling Does Not Work on Windows Vista - AnyConnect split-tunneling works correctly with Windows XP and Windows 2000 (CSCsi82315)
  I am happy that 64Bit works but will hold off on roll out until split-tunneling is fixed.
  Cassidy

• AnyConnecy VPN and Split-tunnel ACL - Strange...

  Hi,
  I have ACL as follows and applied on AnyConnect VPN group as split-tunel value ACL.
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq www
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq https
  When I connected with AnyConnect client, I can ping to 192.168.200.63 and also telnet to port 80. However I can not telnet to port 443. Strange thing is I do not see any hits on above ACL, morever I'm wondering how cam the ICMP is working and why it does not stop on this ACL..?
  Phase: 4
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x78e03140, priority=11, domain=permit, deny=true
          hits=113713, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
          input_ifc=outside, output_ifc=any
  When I did the packet-tracer both ICMP and http it just drop on Phase 4..as bellow, I just want to know what this ACL and where its been applied to..?
  What is the correct syntax for packet-tracer command when troubleshooting AnyConnect VPN to check access inside/dmz server..?
  I have used as follows:
  packet-tracer input outside icmp 172.16.1.1 0 8 192.168.200.63 details
  Appreciate if someone can help me out on this..
  thanks

  To start with it is not ideal to configure a port based split tunnel. It is not support and will give you weird results like one you are experiencing. You should use standard access-list for the split tunnel and to restrict the users to the following port use vpn filter.
  As far as packet tracer is concerned for the VPN client if you use the outside interface as source it will never work the reason is the connection between the ASA and the client is of real IP address (Public) and the traffic that you are testing with is a VPN encrypted traffic your ASA's outside interface doesn't know what is 172.16.1.1, he will check it against the outside access-list and will drop it.
  So in your case i would strongly recommed that use standard access-list for the split tunnel and to restrict the user to specific port use vpn filter. Following are the links to configure the same:
  Allow Split Tunnel for Anyconnect:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
  Configure VPN filter (Its for site to site and remote access but it works the same for Anyconnect):
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
  Thanks
  Jeet Kumar

• Cisco 3745, VPN and Split Tunneling

  I tried following the model here: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a008018914d.shtml
  but after doing so, the situation was actually reversed. While connected to the vpn client you were able to browse the internet but not able to access vpn resources. I undid and redid the configuration several times to rule out keying in problems.
  Can one help with this problem... If needed Ill post necessary configs from my router.. Thanks
  (btw: do these froms have a search?)

  I am having the same problems with pix 501. With split tunnel, I get web but no lan access. Without split tunnel, full lan access, no web. My acl for the splitTunnel is:
  permit ip host 192.168.1.0 any
  Is this wrong?

• RA VPN on ASA and Split Tunneling

  Hello Forum,
  I'm having an issue with RA VPN and split tunneling. Our company doesn't allow split tunneling.
  I have the following....
  ASA 5520 - ASA Version - 8.0(3)
  Group Policies defined for different groups. My test group, I thought I disabled split tunneling but they are still able to surf the net.
  For Split Tunneling Policy...
  Inherit is unchecked
  I have "Tunnel Network List Below"
  Testing_splitTunnelAcl is my acl. I have a bunch of host IPs in the list. I don't have any or 0.0.0.0 in the list.
  But they can still surf the net.
  I would like to block access to net. No hairpinning or internet u-turns.
  How do I do this?
  Any help greatly appreciated.
  Regards,

  What does your Testing_spliTunnelAcl have?
  To disable split tunneling, your Testing_spliTunnelAcl should only have this...
  access-list Testing_splitTunnelAcl standard permit any
  ...which means all traffic will be encrypted and will be sent to ASA no matter what. If you add any IP Address, only those traffic destined to the IP Address in the list will be encrypted and send to ASA, everything else will go to internet from the client.
  It may be confusing but try and see what happens.

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan

• Help with Easy VPN client split tunneling.

  Can someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
  Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
  I created an object-group and access list with the hosts I want to route thou the VPN :-
  object-group network VNPCLIENTS
  description HOSTS ALLOWED ACCESS TO THE VPN
  host 192.168.3.204
  host 192.168.3.42
  host 192.168.3.44
  host 192.168.3.202
  host 192.168.3.43
  access-list 1 remark Internet access list
  access-list 1 permit 192.168.3.0 0.0.0.255
  access-list 101 remark Hosts allowed access to VPN
  access-list 101 permit ip object-group VNPCLIENTS any
  access-list 111 permit udp any any eq 3074
  access-list 111 permit tcp any any eq 3074
  access-list 111 permit udp any any eq 88
  I Then applied the access list to the Virtual interface of the VPN in both directions:-
  interface Virtual-Template1 type tunnel
  no ip address
  ip access-group 101 in
  ip access-group 101 out
  tunnel mode ipsec ipv4
  Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
  I must be doing something very wrong. Much appreciate any help.
  Thanks
  Gordon

  Can someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
  Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
  I created an object-group and access list with the hosts I want to route thou the VPN :-
  object-group network VNPCLIENTS
  description HOSTS ALLOWED ACCESS TO THE VPN
  host 192.168.3.204
  host 192.168.3.42
  host 192.168.3.44
  host 192.168.3.202
  host 192.168.3.43
  access-list 1 remark Internet access list
  access-list 1 permit 192.168.3.0 0.0.0.255
  access-list 101 remark Hosts allowed access to VPN
  access-list 101 permit ip object-group VNPCLIENTS any
  access-list 111 permit udp any any eq 3074
  access-list 111 permit tcp any any eq 3074
  access-list 111 permit udp any any eq 88
  I Then applied the access list to the Virtual interface of the VPN in both directions:-
  interface Virtual-Template1 type tunnel
  no ip address
  ip access-group 101 in
  ip access-group 101 out
  tunnel mode ipsec ipv4
  Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
  I must be doing something very wrong. Much appreciate any help.
  Thanks
  Gordon

• IP Phone SSL VPN through ASA

  Im in the middle of configuring Ip Phone SSL VPN through ASA, got stuck on authentication.. When I enter username and password on the phone screen, i get "Username and password failed" message on the screen. However, in ASA logs I see the following line
  Feb 16 2011    15:12:57    725002    85.132.43.67    52684            Device completed SSL handshake with client vpn:85.132.*.*/52684
  Feb 16 2011    15:17:26    725007    85.132.43.67    52745            SSL session with client vpn:85.132.*.*/52745 terminated.
  What does it mean?  How can I turn on debugging to see what is going on?
  Thank you in advance!

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• IP Phone SSL VPN to ASA using AnyConnect

  I have a CUCM 7.1.5. We are using Phone proxy today. I wanted to upgrade to IP phone SSL VPN.
  I know in 8.x and 9.x the Proxy phone is not supported and Cisco supports SSL VPN.
  However, The question is: if CUCM 7.1.5 supports Phone SSL VPN.
  Lastly,
  I hear about Collaboration Edge in CUCM 10.x
  If CUCM 10.x is deployed then how the ASA concept plays a role here.
  What type of license I would need for Collaboration Edge to register the endpoints\phones from outside of network. 
  I cant find any information about the Colaboration Edge on the Internet...
  Message was edited by: Sean Poure

  The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
  http://www.cisco.com/en/US/netsol/ns1246/index.html
  PS- Jason could have found out details in advance since DiData has partner NDA status.
  Please remember to rate helpful responses and identify helpful or correct answers.

• SSL VPN Full and Split Tunnel Config Question

  I am Beta testing SSLVPN on an IOS router. The question I have is this:
  Is it possiable to have slit and full tunnel configs. It seems that once you create your context and default profile that is all you have either split or full. The books say you can use Radius and assign different profiles but, I would like to give the users a choice (like in the VPN3000 .pcf) of either split or full depending on where they are working from.

  The below is an example using the ASA - but the principle remains the same:-
  http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080975e83.shtml
  HTH>

• SonicWall Global VPN Client and Split tunneling

  Hello All,
  I searched Google and the forums here and can't find someone with the same problem.
  Lets start at the beginning-Just started this job a couple months ago and people brought to my attention immediately an issue while they were on the VPN they could not get to the internet.  I know about the different security risks but we have multiple field reps that need internet access while using our CRM program.  So I setup Split Tunneling on the Sonicwall. Tested and works fine on my home PC using a WRT54GS Ver 2.1 and the SonicWall Global VPN Client.
  So I was sure everything was fine until I just sent out 2 laptops to 2 different sales reps and they are both having the same issue.  They can get into the internal network but can't access the internet.  They are both on WRT54G (different Vers.).  I tested the VPN client on both laptops with tethering on my cell phone and the split tunneling works. I have tried updating firmware thinking that was the issue.  I also tried to put their home network on a different subnet.  All with no joy.  I was wondering if anyone ever ran into something like this or have any clues what to try next. 
  -Thank You in advance for your time.
  Message Edited by Chris_F on 01-11-2010 07:41 AM
  Chris F.
  CCENT, CCNA, CCNA Sec

  Of course, you do as you are told. But I hope you keep written record of what you have been told and have it signed of whoever told you to set it up. It's essential that you stay on the safe side in these matters.
  I have read of too many cases where the system/security admin did not do so and in the end was held responsible for security incidents simply because he was told to do something to jeopardize security of the network. Remember, that usually the person who tells you do to so has no idea about the full security implication of a decision.
  Thus, I highly recommend to require your road staff to connect with no split tunneling. Refuse to do otherwise unless you have it in writing and you won't be held reliable in any way if something happens because of it.
  Just think what happens if the whole customer database gets stolen because of one of the remote sales reps... There is a reason why you apply this web site blocking on your firewalls and there is absolutely no reason that would justify why your remote sale reps don't go through the very same firewall while accessing company-sensitive data in your CRM.
  So put that straight with whoever told you to do otherwise and if you they still want to continue anyway get it in writing. Once you ask for the statement in writing many decision-makers come to their senses and let you do your job at the best you can and for what you were hired... And if not, well, at least you got rid of the responsibility in that aspect.

• Issues with basic VPN setup and split tunneling

  I have created an SSL VPN to a CISCO ASA 8.6 running ASDM 6.6.
  Im able to connect to the VPN and reach all the devices with the LAN but  Im not able to browse the web. When I enable the split tunnel Im able  to browse the web but then Im not able to reach any internal device.
  Here is part of the show run:
  object network RedInterna
  subnet 150.211.101.0 255.255.255.0
  description Red Interna
  object network NETWORK_OBJ_10.4.1.0_28
  subnet 10.4.1.0 255.255.255.240
  access-list inside_access_in extended permit ip object RedInterna any
  access-list VPN_INTERNET standard permit 150.211.101.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool VPN_POOL 10.4.1.1-10.4.1.14 mask 255.255.255.240
  failover
  failover lan unit secondary
  failover lan interface fail-1 GigabitEthernet0/2
  failover key *****
  failover interface ip fail-1 10.3.1.21 255.255.255.252 standby 10.3.1.22
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-66114.bin
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static any any destination static  NETWORK_OBJ_10.4.1.0_28 NETWORK_OBJ_10.4.1.0_28 no-proxy-arp  route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 187.217.68.145 1
  route inside 10.0.0.0 255.0.0.0 10.1.1.78 1
  route inside 150.211.0.0 255.255.0.0 10.1.1.78 1
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_VPN_ internal
  group-policy GroupPolicy_VPN_ attributes
  wins-server none
  dns-server value 8.8.8.8
  vpn-tunnel-protocol ssl-client
  default-domain value dominio.com.mx
  tunnel-group VPN_ type remote-access
  tunnel-group VPN_ general-attributes
  address-pool VPN_POOL
  default-group-policy GroupPolicy_VPN_
  tunnel-group VPN_ webvpn-attributes
  group-alias VPN_ enable
  I´m not sure if Im missing some small details or setup. Any help will be highly appreciated.
  Thanks!!!

  Hi,
  When you are using Full Tunnel VPN (which is the default setting) you will have a couple of things that you need to configure on the ASA.
  First, the ASA by default won't allow traffic to enter through an interface and then leave through that same interface. This is what essentially happens when the traffic from the VPN Client comes to the ASA and then heads out to the Internet.  In your case the traffic comes through the "outside" and leaves through the "outside" interface.
  You will need this command
  same-security-traffic permit intra-interface
  You can check if its enabled at the moment with the command
  show run same-security-traffic
  Second, the VPN users will need to have NAT configuration just like any LAN users behind the actual ASA. So you will essentially have to configure Dynamic PAT for traffic from "outside" to "outside"
  You can accomplish that with the following configuration
  object network VPN-PAT
  subnet 10.4.1.0 255.255.255.240
  nat (outside,outside) dynamic interface
  I would imagine that this should do it for you to be able to connect to the Internet and to the LAN network when the VPN is active.
  Hope this helps
  Let me know how it goes.
  - Jouni

• Ssl vpn and soft phone

  Does the ASA or IOS support an SSL VPN that includes the Cisco softphone like it does say RDP, SSH, etc?  I'm trying to determine if I can have a user connect a soft phone to our parent company's SSL VPN so they can use their Cisco phone system, while simultaneously having a remote access vpn tunnel to our division's data network.  In short, our employees need to use phones that don't exist on our network while having access to our data network.  I've been able to test having an SSL vpn session open at the same time as an IPSec remote access session, but the softphone is not an option in my current code of 8.4 on the ASA.  I thought I heard it might be available in 9.0.  It seems like it would work in reverse, i.e. having my users connect to my SSL VPN to use my data network and then IPSec to our parent company for the client's locally installed soft phone, but that's not an option for me.  The link below seems to suggest it's possible in IOS at least, but I haven't been able to find any details beyond the sales pitch it offers.
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_securing_voice_traffic_with_cisco_ios_ssl_vpn.html
  thank you

  Following links may help you
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008072462a.shtml

• Jabber client and IP Phone SSL VPN to ASA using AnyConnect

  Also for Jabber 9.1 can the Jabber for X softphone client (CUCM) can fireup a SSL VPN direct to ASA, similar to how 7965s can? Anyone aware if Jabber 10 or next version will support Jabber client with ASA? I have this delpoyed with 7965s and certificates but I have to manually start a AnyConnect session for Jabber for Windows on my laptop.
  https://supportforums.cisco.com/docs/DOC-9124

  The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
  http://www.cisco.com/en/US/netsol/ns1246/index.html
  PS- Jason could have found out details in advance since DiData has partner NDA status.
  Please remember to rate helpful responses and identify helpful or correct answers.