Nokia mobile VPN Client - split tunneling

Hi
I'm trying to get Nokia mobile CPN Client working with split tunneling on a Cisco firewall.
I have full access to all on my internal lan's when I make the VPN tunnel, so tunnel is up and working.
But I do not have access to anything in the internet, it tries to route internet requests through the VPN. I have set split tunneling on the Cisco firewall and it is working as intended on all other devices.
Any ideas of what I have missed?
My policy is based on the bundled Cisco_ASA_pskxauth.pol from the Nokia mobile VPN Client Policy Tool.
tsfts

Hi vgta2k:
Nokia 5530 XpressMusic is S60 5th edition phone.
http://www.forum.nokia.com/Devices/Device_specific​ations/5530_XpressMusic/
It runs different version of Nokia Mobile VPN client than Symbian^3. You can find the correct version at the download page:
http://europe.nokia.com/support/download-software/​nokia-mobile-vpn/compatibility-and-download
Just use the device selector and pick your phone.
You can also find Nokia Mobile VPN Client nowadays at Ovi Store.
Thanks,
Ismo

Similar Messages

  • Help with Easy VPN client split tunneling.

    Can someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
    Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
    I created an object-group and access list with the hosts I want to route thou the VPN :-
    object-group network VNPCLIENTS
    description HOSTS ALLOWED ACCESS TO THE VPN
    host 192.168.3.204
    host 192.168.3.42
    host 192.168.3.44
    host 192.168.3.202
    host 192.168.3.43
    access-list 1 remark Internet access list
    access-list 1 permit 192.168.3.0 0.0.0.255
    access-list 101 remark Hosts allowed access to VPN
    access-list 101 permit ip object-group VNPCLIENTS any
    access-list 111 permit udp any any eq 3074
    access-list 111 permit tcp any any eq 3074
    access-list 111 permit udp any any eq 88
    I Then applied the access list to the Virtual interface of the VPN in both directions:-
    interface Virtual-Template1 type tunnel
    no ip address
    ip access-group 101 in
    ip access-group 101 out
    tunnel mode ipsec ipv4
    Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
    I must be doing something very wrong. Much appreciate any help.
    Thanks
    Gordon

    Can someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
    Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
    I created an object-group and access list with the hosts I want to route thou the VPN :-
    object-group network VNPCLIENTS
    description HOSTS ALLOWED ACCESS TO THE VPN
    host 192.168.3.204
    host 192.168.3.42
    host 192.168.3.44
    host 192.168.3.202
    host 192.168.3.43
    access-list 1 remark Internet access list
    access-list 1 permit 192.168.3.0 0.0.0.255
    access-list 101 remark Hosts allowed access to VPN
    access-list 101 permit ip object-group VNPCLIENTS any
    access-list 111 permit udp any any eq 3074
    access-list 111 permit tcp any any eq 3074
    access-list 111 permit udp any any eq 88
    I Then applied the access list to the Virtual interface of the VPN in both directions:-
    interface Virtual-Template1 type tunnel
    no ip address
    ip access-group 101 in
    ip access-group 101 out
    tunnel mode ipsec ipv4
    Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
    I must be doing something very wrong. Much appreciate any help.
    Thanks
    Gordon

  • IP Phone SSL VPN and Split tunneling

    Hi Team,
    I went throught the following document which is very useful:
    https://supportforums.cisco.com/docs/DOC-9124
    The only things i'm not sure about split-tunneling point:
    Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
    I could see many implementation when they used split-tunneling, like one of my customer:
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    banner value This system is only for Authorized users.
    dns-server value 10.64.10.13 10.64.10.14
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value prod.mobily.lan
    address-pools value SSLClientPool
    webvpn
      anyconnect keep-installer installed
      anyconnect ssl rekey time 30
      anyconnect ssl rekey method ssl
      anyconnect ask none default anyconnect
    username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
    username manager-max attributes
    vpn-group-policy GroupPolicy1
    tunnel-group PhoneVPN type remote-access
    tunnel-group PhoneVPN general-attributes
    address-pool SSLClientPool
    authentication-server-group AD
    default-group-policy GroupPolicy1
    tunnel-group PhoneVPN webvpn-attributes
    group-url https://84.23.107.10 enable
    ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
    access-list split-tunnel remark split-tunnel network list
    access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
    It is working for them w/o any issue.
    My question would be
    - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
    Thanks!
    Eva

    Hi,
    If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
    Did this answer your question? If so, please mark it Answered!

  • Remote Access VPN, no split tunneling, internet access. NAT translation problem

    Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
    Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
    I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
    I reviewed the new NAT rules for the VPN and found the culprit. 
    I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
    Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
    nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
    nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
    nat (outside,outside) source dynamic VPN_Subnet interface inactive
    object network obj_any
    nat (inside,outside) dynamic interface
    object network XXX_HTTP
    nat (inside,outside) static interface service tcp www www
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    Any help would be appreciated.

    Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
    With Regards,
    Safwan

  • VM with remote access VPN without split tunneling

    Hello experts,
    I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network  to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
    My Question to Experts:
    1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
    2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
    Thanks for your help,
    Razi                

    Did you figure this out?

  • AnyConnecy VPN and Split-tunnel ACL - Strange...

    Hi,
    I have ACL as follows and applied on AnyConnect VPN group as split-tunel value ACL.
    access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq www
    access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq https
    When I connected with AnyConnect client, I can ping to 192.168.200.63 and also telnet to port 80. However I can not telnet to port 443. Strange thing is I do not see any hits on above ACL, morever I'm wondering how cam the ICMP is working and why it does not stop on this ACL..?
    Phase: 4
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x78e03140, priority=11, domain=permit, deny=true
            hits=113713, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
            input_ifc=outside, output_ifc=any
    When I did the packet-tracer both ICMP and http it just drop on Phase 4..as bellow, I just want to know what this ACL and where its been applied to..?
    What is the correct syntax for packet-tracer command when troubleshooting AnyConnect VPN to check access inside/dmz server..?
    I have used as follows:
    packet-tracer input outside icmp 172.16.1.1 0 8 192.168.200.63 details
    Appreciate if someone can help me out on this..
    thanks

    To start with it is not ideal to configure a port based split tunnel. It is not support and will give you weird results like one you are experiencing. You should use standard access-list for the split tunnel and to restrict the users to the following port use vpn filter.
    As far as packet tracer is concerned for the VPN client if you use the outside interface as source it will never work the reason is the connection between the ASA and the client is of real IP address (Public) and the traffic that you are testing with is a VPN encrypted traffic your ASA's outside interface doesn't know what is 172.16.1.1, he will check it against the outside access-list and will drop it.
    So in your case i would strongly recommed that use standard access-list for the split tunnel and to restrict the user to specific port use vpn filter. Following are the links to configure the same:
    Allow Split Tunnel for Anyconnect:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
    Configure VPN filter (Its for site to site and remote access but it works the same for Anyconnect):
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
    Thanks
    Jeet Kumar

  • AnyConnect SSL VPN Vista split-tunneling

    I recently setup an ASA5510 with 8.0fw with the AnyConnect SSL VPN Client.
    Connecting to the SSL VPN works perfectly from all the XP computers that I have tested from. No problems there. However when on Vista, split-tunneling does not seem to function properly. Everything connects and works fine, and I can get to the defined secured remote nets, however I can't access anything out my default gateway(un-secured traffic). It seems like it might be a problem with Vista security features. When I try to ping out to any outside host, I get:
    PING: transmit failed, error code 1231.
    I can actually ping my default gateway, but nothing gets routed past it without the above error. I've also confirmed this several Vista installations, with Administrator + UAC disabled. Anyone else?

    I have done the same testing, and on both Vista 32bit and 64Bit the split tunneling does not seem to work. Also I found that this is a "known" bug
    From the Release Notes::
    AnyConnect Split-tunneling Does Not Work on Windows Vista - AnyConnect split-tunneling works correctly with Windows XP and Windows 2000 (CSCsi82315)
    I am happy that 64Bit works but will hold off on roll out until split-tunneling is fixed.
    Cassidy

  • Cisco 3745, VPN and Split Tunneling

    I tried following the model here: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a008018914d.shtml
    but after doing so, the situation was actually reversed. While connected to the vpn client you were able to browse the internet but not able to access vpn resources. I undid and redid the configuration several times to rule out keying in problems.
    Can one help with this problem... If needed Ill post necessary configs from my router.. Thanks
    (btw: do these froms have a search?)

    I am having the same problems with pix 501. With split tunnel, I get web but no lan access. Without split tunnel, full lan access, no web. My acl for the splitTunnel is:
    permit ip host 192.168.1.0 any
    Is this wrong?

  • Is it possible to force some urls through the vpn using split tunneling?

    Hi all,
    just that. We have some urls accessible only from our office lan, and will be nice to allow the clients to split tunnel all but this specific urls.
    Possible? Thanks in advance!

    Simon,
    I was thinking that you were trying to reach a web server hosted on the LAN. I see now that you are trying to reach external sites that are only accessible from the LAN. I am not aware of any way to allow a partially split tunnel, if I find anything I will update.
    - Marty

  • Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access

    Greetings,
    I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
    Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
    OR 
    Am I forced to put the ASA behind the filtering device somehow?

    Hi Jim,
    You can use tunnel default route for vpn traffic:
    ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
    configure mode commands/options:
      <1-255>   Distance metric for this route, default is 1
      track     Install route depending on tracked item
      tunneled  Enable the default tunnel gateway option, metric is set to 255
    This route is applicable for only vpn traffic.
    HTH,
    Shetty

  • Mobile VPN Client - Received an error response fro...

    Hi everybody, i am trying to establish a vpn connection to SecureKISS servers. 
    I tried different configurations without luck.
    SECURITY_FILE_VERSION: 1
    [INFO]
    SecurityKISS
    [POLICY]
    sa CISCO_ASA_PSK = {
    esp
    encrypt_alg 3
    max_encrypt_bits 128
    auth_alg 2
    identity_remote 0.0.0.0/0
    src_specific
    hard_lifetime_bytes 0
    hard_lifetime_addtime 3600
    hard_lifetime_usetime 3600
    soft_lifetime_bytes 0
    soft_lifetime_addtime 3600
    soft_lifetime_usetime 3600
    replay_win_len 0
    remote 0.0.0.0 0.0.0.0 = { CISCO_ASA_PSK(31.24.33.221) }
    inbound = { } 
    outbound = { } 
    [IKE]
    ADDR: 31.24.33.221 255.255.255.255
    IKE_VERSION: 1
    MODE: Aggressive
    REPLAY_STATUS: FALSE
    USE_MODE_CFG: TRUE
    IPSEC_EXPIRE: TRUE
    USE_XAUTH: TRUE
    USE_COMMIT: FALSE
    ESP_UDP_PORT: 0
    SEND_NOTIFICATION: TRUE
    INITIAL_CONTACT: TRUE
    USE_INTERNAL_ADDR: FALSE
    DPD_HEARTBEAT: 90
    NAT_KEEPALIVE: 60
    REKEYING_THRESHOLD: 90
    ID_TYPE: 11
    FQDN: unive
    PRESHARED_KEYS:  
    FORMAT: STRING_FORMAT
    KEY: 12 KEY-REMOVED
    USE_NAT_PROBE: FALSE
    PROPOSALS: 1
    ENC_ALG: 3DES-CBC
    AUTH_METHOD: PRE-SHARED
    HASH_ALG: MD5
    GROUP_DESCRIPTION: MODP_1024
    GROUP_TYPE: DEFAULT
    LIFETIME_KBYTES: 0
    LIFETIME_SECONDS: 86400
    PRF: NONE
    It should ask for username and password but It doesn't happen.
    In the logs there are some errors like this:
    Received an error response from vpn gateway error code 29
    and the last error is always like this one:
    Error: Failed to activate VPN access point 'SecurityKISS', reason code -5258
    that should stand for "IKE negotiation with gateway failed because there was no acceptable proposal".
    So, what it's wrong in my configuration? There's someone able to help me with this configuration?
    Best regards
    Matteo.

    I moved futher with change of configuration on the router and no I get IP from virtual pool but unable to get any further as IPSEC does not negotiate.
    My configuration is as following
     crypto isakmp policy 1
     encr 3des
     hash md5
     authentication pre-share
     group 2
    crypto isakmp key aaabbb address 0.0.0.0 0.0.0.0
    crypto isakmp client configuration address-pool local vpn2
    crypto isakmp client configuration group VPNCLIENTGROUP
     key aaabbb
     dns a.b.c.d
     domain wr
     pool vpn2
     save-password
    crypto isakmp profile VPNclient
       description VPN clients profile
       match identity group VPNCLIENTGROUP
       match identity address 0.0.0.0 
       client authentication list userlist
       isakmp authorization list groupauthor
       client configuration address initiate
       client configuration address respond
       client configuration group VPNCLIENTGROUP
    crypto ipsec transform-set 3des esp-3des esp-sha-hmac 
    crypto dynamic-map SDM_CMAP_1 99
     set transform-set 3des 
     set isakmp-profile VPNclient
     reverse-route
    crypto map SDM_CMAP_1 99 ipsec-isakmp dynamic SDM_CMAP_1
    When I run the debug on the router, I am getting IP address from the pool which actually also shows up on the phone (n85). It should that VPN is activated also on the phone followed by another message that it is deactivated. I used Nokia VPN  Client policy tool to create the policy with following
     IKEv1,3DES,MD5,
    True =  Responder lifetime, send certificate, IPsec expire, Replay status, Use mode config, Use commit bit, Xauth
    False= Nat probe 
    IKE proposal = 3DES-CBC, MD5

  • RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities

    For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode? 
    This is mostly a question, and partly "in use" observations.
    Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel"  mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode? 
    If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
    Summary of VPN modes I've gotten to work with an RV220W:
    Client
    Split Tunnel Works?
    Full Tunnel Works?
    OS?
    Notes
    SSL VPN
    Yes
    Yes
    Win7/64
    IE10 or IE11
    QuickVPN
    Yes
    No
    Win7/64
    IPSec VPN
    Yes
    No
    Win7/64
    Shrew Soft VPN Client

    I have to mark this as not a correct answer.
    Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
    To Michal Bruncko who posted this:
    1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
    2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way?

  • RA VPN on ASA and Split Tunneling

    Hello Forum,
    I'm having an issue with RA VPN and split tunneling. Our company doesn't allow split tunneling.
    I have the following....
    ASA 5520 - ASA Version - 8.0(3)
    Group Policies defined for different groups. My test group, I thought I disabled split tunneling but they are still able to surf the net.
    For Split Tunneling Policy...
    Inherit is unchecked
    I have "Tunnel Network List Below"
    Testing_splitTunnelAcl is my acl. I have a bunch of host IPs in the list. I don't have any or 0.0.0.0 in the list.
    But they can still surf the net.
    I would like to block access to net. No hairpinning or internet u-turns.
    How do I do this?
    Any help greatly appreciated.
    Regards,

    What does your Testing_spliTunnelAcl have?
    To disable split tunneling, your Testing_spliTunnelAcl should only have this...
    access-list Testing_splitTunnelAcl standard permit any
    ...which means all traffic will be encrypted and will be sent to ASA no matter what. If you add any IP Address, only those traffic destined to the IP Address in the list will be encrypted and send to ASA, everything else will go to internet from the client.
    It may be confusing but try and see what happens.

  • Intermittent Internet Connection and VPN clients can't ping internal LAN but connected after installating cisco ASA5512x

    Hi!
    I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
    ISP ->  Firewall -> Core switch -> Internal LAN
    after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
    here's my configuration from my firewall.
    ASA Version 8.6(1)2
    hostname ciscofirewall
    enable password 2KFQnbNIdI.2KYOU encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 203.x.x.x 255.255.255.0
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address 10.152.11.15 255.255.255.0
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/5
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    ftp mode passive
    dns domain-lookup outside
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 4.2.2.2 -------> public DNS
    name-server 8.8.8.8 -------> public
    name-server 203.x.x.x   ----> Clients DNS
    name-server 203.x.x.x  -----> Clients DNS
    same-security-traffic permit intra-interface
    object network net_access
    subnet 10.0.0.0 255.0.0.0
    object network citrix_server
    host 10.152.11.21
    object network NETWORK_OBJ_10.10.10.0_28
    subnet 10.10.10.0 255.255.255.240
    object network NETWORK_OBJ_10.0.0.0_8
    subnet 10.0.0.0 255.0.0.0
    object network InterconHotel
    subnet 10.152.11.0 255.255.255.0
    access-list net_surf extended permit ip any any
    access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
    access-list outside_access extended permit tcp any object citrix_server eq www
    access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
    access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
    access-list LAN_Users remark LAN_clients
    access-list LAN_Users standard permit any
    access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
    pager lines 24
    logging enable
    logging asdm informational
    mtu management 1500
    mtu outside 1500
    mtu inside 1500
    ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
    object network net_access
    nat (inside,outside) dynamic interface
    object network citrix_server
    nat (inside,outside) static 203.177.18.234 service tcp www www
    object network NETWORK_OBJ_10.10.10.0_28
    nat (any,outside) dynamic interface
    object network InterconHotel
    nat (inside,outside) dynamic interface dns
    access-group outside_access in interface outside
    access-group net_surf out interface outside
    route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
    route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 10.0.0.100 255.255.255.255 inside
    http 10.10.10.0 255.255.255.240 outside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto ikev1 enable outside
    crypto ikev1 enable inside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    client-update enable
    telnet 10.152.11.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    webvpn
    enable outside
    anyconnect-essentials
    group-policy outsidevpn internal
    group-policy outsidevpn attributes
    dns-server value 203.x.x.x 203.x.x.x
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
    split-tunnel-policy tunnelall
    split-tunnel-network-list value outsidevpn_splitTunnelAcl
    default-domain value interconti.com
    address-pools value vpnpool
    username test1 password i1lji/GiOWB67bAs encrypted privilege 5
    username test1 attributes
    vpn-group-policy outsidevpn
    username mnlha password WlzjmENGEEZmT9LA encrypted
    username mnlha attributes
    vpn-group-policy outsidevpn
    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
    tunnel-group outsidevpn type remote-access
    tunnel-group outsidevpn general-attributes
    address-pool (inside) vpnpool
    address-pool vpnpool
    authentication-server-group (outside) LOCAL
    default-group-policy outsidevpn
    tunnel-group outsidevpn ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
      inspect http
      inspect ipsec-pass-thru
    class class-default
      user-statistics accounting
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    hpm topN enable
    Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
    : end
    thanks. please help.

    I think you should change your nat-exemption rule to smth more general, like
    nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28  NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
    'cause your inside networks are not the same as your vpn-pool subnet.
    Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA.

  • VPN Clients getting different default gateways

    Hello,
         We have a new Cisco ASA 5520 and are trying to setup the VPN with split tunneling.  We mostly have clients running XP and the problem is that some of the clients connect (using Cisco Anyconnect 2.5) and the split tunneling works as expected --these clients keep their default gateway-- and then some clients connect and get a default gateway of 192.168.119.1 (our VPN addresses subnet) and of course these users cannot connect to the internet while connected to the VPN.
    Here is our config:
    ASA Version 9.1(1)
    hostname xxxxxx
    names
    name 178.239.80.0 Deny178.239.80.0 description 178.239.80.0
    name 74.82.64.0 Deny74.82.64.0 description 74.82.64.0
    name 173.247.32.0 Deny173.247.32.0 description 173.247.32.0
    name 193.109.81.0 Deny193.109.81.0 description 193.109.81.0
    name 204.187.87.0 Deny204.187.87.0 description 204.187.87.0
    name 206.51.26.0 Deny206.51.26.0 description 206.51.26.0
    name 206.53.144.0 Deny206.53.144.0 description 206.53.144.0
    name 67.223.64.0 Deny67.223.64.0 description 67.223.64.0
    name 93.186.16.0 Deny93.186.16.0 description 93.186.16.0
    name 216.9.240.0 Deny216.9.240.0 description 216.9.240.0
    name 68.171.224.0 Deny68.171.224.0 description 68.171.224.0
    ip local pool PAIUSERS 192.168.119.10-192.168.119.100 mask 255.255.255.0
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 63.86.112.194 255.255.255.192
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address 192.168.129.5 255.255.255.192
    interface GigabitEthernet0/2
    nameif dmz
    security-level 10
    ip address 192.168.20.10 255.255.255.0
    interface GigabitEthernet0/3
    nameif vpn_dmz
    security-level 25
    ip address 192.168.30.10 255.255.255.0
    interface Management0/0
    management-only
    shutdown
    nameif management
    security-level 100
    ip address 192.168.102.4 255.255.255.0
    object network obj-192.168.119.0
    subnet 192.168.119.0 255.255.255.0
    access-list outside_access_in extended permit ip host 192.168.119.11 host 192.168.35.23
    access-list outside_access_in extended permit object-group TCPUDP any4 object-group DM_INLINE_NETWORK_3 object-group UDP_TCP_Domain inactive
    access-list outside_access_in extended permit udp any4 object obj-192.168.30.11 eq isakmp
    access-list outside_access_in extended permit ip any4 object obj-192.168.30.11
    access-list outside_access_in extended permit udp any4 object obj-192.168.30.11 object-group UDP10000
    access-list outside_access_in extended permit udp any4 object-group DM_INLINE_NETWORK_7 eq domain inactive
    access-list outside_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_8 eq domain inactive
    access-list outside_access_in extended permit tcp host 216.81.43.190 host 192.168.35.30 eq ssh inactive
    access-list outside_access_in extended permit tcp host 216.81.43.190 object obj-192.168.35.30 object-group DM_INLINE_TCP_6 inactive
    access-list outside_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_9 eq www inactive
    access-list outside_access_in extended permit tcp any4 object obj-192.168.30.11 eq www
    access-list outside_access_in extended permit esp any4 object obj-192.168.30.11
    access-list outside_access_in extended permit tcp any4 object obj-192.168.35.41 eq www
    access-list outside_access_in extended permit tcp any4 object obj-192.168.35.41 eq https
    access-list outside_access_in extended permit tcp any4 host 192.168.35.34 eq https
    access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.30 object-group Ports_UDpTCP
    access-list outside_access_in extended permit tcp any4 object obj-192.168.35.30 object-group DM_INLINE_TCP_7
    access-list outside_access_in extended permit tcp any4 object obj-192.168.35.30 eq ftp
    access-list outside_access_in extended permit object-group TCPUDP any4 host 63.86.112.248
    access-list outside_access_in extended permit udp any4 host 162.95.80.115 eq isakmp
    access-list outside_access_in extended permit tcp any4 host 162.95.80.115 object-group Ports_115
    access-list outside_access_in extended permit udp any4 host 162.95.80.115 object-group Ports_2746_259
    access-list outside_access_in extended permit object-group TCPUDP any4 host 63.86.112.245 object-group Service_Group_245 inactive
    access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.40 object-group UDP_TCP_Domain
    access-list outside_access_in extended permit tcp any4 object obj-192.168.35.40 object-group DM_INLINE_TCP_2
    access-list outside_access_in extended permit tcp any4 object obj-192.168.129.11 object-group DM_INLINE_TCP_1
    access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.129.11 object-group UDP_TCP_Domain
    access-list outside_access_in extended permit tcp any4 object obj-192.168.129.11 object-group Network_Service_2703_6277
    access-list outside_access_in extended permit udp any4 object obj-192.168.129.11 object-group UDP_443
    access-list outside_access_in extended permit ip any4 host 192.168.101.75 inactive
    access-list outside_access_in extended permit tcp any4 host 64.78.239.50 eq www
    access-list outside_access_in extended permit tcp any4 host 64.78.239.54 object-group TCP_4445
    access-list outside_access_in extended permit icmp any4 any4
    access-list outside_access_in extended permit udp any4 object obj-192.168.35.40 object-group UDP_443
    access-list outside_access_in extended permit tcp any4 host 63.86.112.204 object-group DM_INLINE_TCP_5
    access-list outside_access_in extended permit tcp any4 host 63.86.112.204
    access-list outside_access_in extended permit udp any4 host 63.86.112.204
    access-list outside_access_in extended permit object-group TCPUDP any4 host 192.168.102.12 object-group Network_Server_1194
    access-list outside_access_in extended permit tcp any4 host 192.168.102.12 eq www
    access-list outside_access_in extended permit tcp any4 host 192.168.102.12 eq https
    access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.41 object-group Network_Server_1194
    access-list outside_access_in extended permit tcp any4 object obj-192.168.35.12 eq www
    access-list outside_access_in extended permit tcp any4 object obj-192.168.35.12 object-group DM_INLINE_TCP_3
    access-list outside_access_in extended permit tcp any4 host 63.86.112.193 object-group Network_Service_TCP_1194
    access-list outside_access_in extended deny tcp object Deny206.51.26.0 object obj-192.168.35.40 eq https
    access-list outside_access_in extended deny tcp object Deny193.109.81.0 object obj-192.168.35.40 eq https
    access-list outside_access_in extended deny tcp object Deny204.187.87.0 object obj-192.168.35.40 eq https
    access-list outside_access_in extended deny tcp object Deny206.53.144.0 object obj-192.168.35.40 eq https
    access-list outside_access_in extended deny tcp object Deny216.9.240.0 object obj-192.168.35.40 eq https
    access-list outside_access_in extended deny tcp object Deny67.223.64.0 object obj-192.168.35.40 eq https
    access-list outside_access_in extended deny tcp object Deny93.186.16.0 object obj-192.168.35.40 eq https
    access-list outside_access_in extended deny tcp object Deny68.171.224.0 object obj-192.168.35.40 eq https
    access-list outside_access_in extended deny tcp object Deny74.82.64.0 object obj-192.168.35.40 eq https
    access-list outside_access_in extended deny tcp object Deny178.239.80.0 object obj-192.168.35.40 eq https
    access-list outside_access_in extended deny tcp object Deny173.247.32.0 object obj-192.168.35.40 eq https
    access-list vpn_dmz_access_in extended permit ip host 192.168.35.23 192.168.119.0 255.255.255.0
    access-list vpn_dmz_access_in extended permit gre host 192.168.30.11 any4
    access-list vpn_dmz_access_in extended permit tcp any4 host 23.0.214.60 eq https
    access-list vpn_dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_28 any4
    access-list vpn_dmz_access_in extended permit tcp any4 object obj-192.168.35.105 object-group DM_INLINE_TCP_4
    access-list vpn_dmz_access_in extended permit esp any4 object obj-192.168.35.105
    access-list vpn_dmz_access_in extended permit tcp any4 object obj-192.168.35.105
    access-list vpn_dmz_access_in extended permit icmp any4 object obj-192.168.35.105
    access-list vpn_dmz_access_in extended permit tcp any4 host 192.168.129.11
    access-list vpn_dmz_access_in remark RDP
    access-list vpn_dmz_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq 3389
    access-list vpn_dmz_access_in extended permit icmp any4 object obj-192.168.35.23
    access-list inside_nat0_outbound extended permit ip any4 192.168.119.0 255.255.255.0
    access-list ftp-timeout extended permit tcp host 216.81.43.190 host 63.86.112.248
    access-list ftp-timeout extended permit tcp host 63.86.112.248 host 216.81.43.190
    access-list ftp-timeout extended permit tcp host 192.168.35.30 host 216.81.43.190
    access-list ftp-timeout extended permit tcp host 216.81.43.190 host 192.168.35.30
    access-list Split_Tunnel_List remark northwoods
    access-list Split_Tunnel_List standard permit host 192.168.35.23
    access-list Split_Tunnel_List remark paits2
    access-list Split_Tunnel_List standard permit host 192.168.35.198
    access-list Split_Tunnel_List standard deny 192.168.102.0 255.255.255.0
    access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
    access-list IS_Split_Tunnel standard permit 192.168.102.0 255.255.255.0
    access-list IS_Split_Tunnel standard permit 192.168.82.0 255.255.255.0
    access-list IS_Split_Tunnel standard permit 192.168.35.0 255.255.255.0
    nat (inside,outside) source static object-192.168.35.0 object-192.168.35.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
    nat (inside,outside) source static obj-192.168.82.0 obj-192.168.82.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
    nat (inside,outside) source static obj-192.168.102.0 obj-192.168.102.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
    webvpn
    enable outside
    enable inside
    enable dmz
    anyconnect-essentials
    anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
    anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
    anyconnect profiles pairemoteuser disk0:/pairemoteuser.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy PAIGroup internal
    group-policy PAIGroup attributes
    vpn-tunnel-protocol ssl-clientless
    webvpn
      url-list value PAI
    group-policy PAIUSERS internal
    group-policy PAIUSERS attributes
    wins-server value 192.168.35.57
    dns-server value 192.168.35.57
    vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Split_Tunnel_List
    default-domain none
    webvpn
      anyconnect firewall-rule client-interface private value vpn_dmz_access_in
      anyconnect profiles value pairemoteuser type user
    group-policy PAIIS internal
    group-policy PAIIS attributes
    wins-server value 192.168.35.57
    dns-server value 192.168.35.57
    vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value IS_Split_Tunnel
    default-domain none
    webvpn
      anyconnect firewall-rule client-interface private value vpn_dmz_access_in
      anyconnect profiles value pairemoteuser type user
    group-policy DfltGrpPolicy attributes
    banner value Welcome to PAI
    wins-server value 192.168.35.57
    dns-server value 192.168.35.57
    address-pools value PAIUSERS
    webvpn
      anyconnect firewall-rule client-interface public none
      anyconnect firewall-rule client-interface private value vpn_dmz_access_in
      anyconnect ask enable default anyconnect timeout 5
    group-policy Anyconnect internal
    : end

    Check is the users fall into DfltGrpPolicy because it has no split tunneling active.
    Michael
    Please rate all helpful posts

Maybe you are looking for

  • SAPSQL_INVALID_FIELDNAM

    Hi All, At the time of attaching the FG to the sales order we are experiencing the following error with short. <b>What happened?</b>     Error in ABAP application program.     The current ABAP program "SAPLV61Z" had to be terminated because one of th

  • How to code the ejbCreate() method without initailizing primary key?

    Hi all, I've just started learning about EJBs, and now am at the stage of learning how to create, deploy and test a CMP Entity Bean. Ran into a problem which I'm hoping someone can help out with. I'm using SQL Server 2000 as my backend database, and

  • Copying filenames with invalid characters in OSX

    I'd like to copy some folders for back up to an external hard disk from the internal hard disk on my G4. Problem is that some of the folders contain files were created in OS 9 and their filenames contain "/" symbols which apparently are not acceptabl

  • Missing java files in the mxmlc compiler svn

    import flex2.compiler.mxml.Parser; import flex2.compiler.mxml.ParserConstants; import flex2.compiler.mxml.Token; import flex2.compiler.mxml.TokenManager; the files in the package flex2.compiler.mxml  in the url ,the mxmlc compiler svn seems to be mis

  • CS6.5 photoshop file doesn't center on screen. How can I do this?

    I have used various options under windows, tried reducing the size of the file and saving it in .jpeg instead of other formats. The image either floats off the bottom of the screen completely or leaves a peak at the top portion. I need it to center s