Nokia mobile VPN Client - split tunneling
Hi
I'm trying to get Nokia mobile CPN Client working with split tunneling on a Cisco firewall.
I have full access to all on my internal lan's when I make the VPN tunnel, so tunnel is up and working.
But I do not have access to anything in the internet, it tries to route internet requests through the VPN. I have set split tunneling on the Cisco firewall and it is working as intended on all other devices.
Any ideas of what I have missed?
My policy is based on the bundled Cisco_ASA_pskxauth.pol from the Nokia mobile VPN Client Policy Tool.
tsfts
Hi vgta2k:
Nokia 5530 XpressMusic is S60 5th edition phone.
http://www.forum.nokia.com/Devices/Device_specifications/5530_XpressMusic/
It runs different version of Nokia Mobile VPN client than Symbian^3. You can find the correct version at the download page:
http://europe.nokia.com/support/download-software/nokia-mobile-vpn/compatibility-and-download
Just use the device selector and pick your phone.
You can also find Nokia Mobile VPN Client nowadays at Ovi Store.
Thanks,
Ismo
Similar Messages
-
Help with Easy VPN client split tunneling.
Can someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
I created an object-group and access list with the hosts I want to route thou the VPN :-
object-group network VNPCLIENTS
description HOSTS ALLOWED ACCESS TO THE VPN
host 192.168.3.204
host 192.168.3.42
host 192.168.3.44
host 192.168.3.202
host 192.168.3.43
access-list 1 remark Internet access list
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 101 remark Hosts allowed access to VPN
access-list 101 permit ip object-group VNPCLIENTS any
access-list 111 permit udp any any eq 3074
access-list 111 permit tcp any any eq 3074
access-list 111 permit udp any any eq 88
I Then applied the access list to the Virtual interface of the VPN in both directions:-
interface Virtual-Template1 type tunnel
no ip address
ip access-group 101 in
ip access-group 101 out
tunnel mode ipsec ipv4
Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
I must be doing something very wrong. Much appreciate any help.
Thanks
GordonCan someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
I created an object-group and access list with the hosts I want to route thou the VPN :-
object-group network VNPCLIENTS
description HOSTS ALLOWED ACCESS TO THE VPN
host 192.168.3.204
host 192.168.3.42
host 192.168.3.44
host 192.168.3.202
host 192.168.3.43
access-list 1 remark Internet access list
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 101 remark Hosts allowed access to VPN
access-list 101 permit ip object-group VNPCLIENTS any
access-list 111 permit udp any any eq 3074
access-list 111 permit tcp any any eq 3074
access-list 111 permit udp any any eq 88
I Then applied the access list to the Virtual interface of the VPN in both directions:-
interface Virtual-Template1 type tunnel
no ip address
ip access-group 101 in
ip access-group 101 out
tunnel mode ipsec ipv4
Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
I must be doing something very wrong. Much appreciate any help.
Thanks
Gordon -
IP Phone SSL VPN and Split tunneling
Hi Team,
I went throught the following document which is very useful:
https://supportforums.cisco.com/docs/DOC-9124
The only things i'm not sure about split-tunneling point:
Group-policy must not be configured with split tunnel or split exclude. Only tunnel all is the supported tunneling policy
I could see many implementation when they used split-tunneling, like one of my customer:
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
banner value This system is only for Authorized users.
dns-server value 10.64.10.13 10.64.10.14
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value prod.mobily.lan
address-pools value SSLClientPool
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
username manager-max attributes
vpn-group-policy GroupPolicy1
tunnel-group PhoneVPN type remote-access
tunnel-group PhoneVPN general-attributes
address-pool SSLClientPool
authentication-server-group AD
default-group-policy GroupPolicy1
tunnel-group PhoneVPN webvpn-attributes
group-url https://84.23.107.10 enable
ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
access-list split-tunnel remark split-tunnel network list
access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
It is working for them w/o any issue.
My question would be
- is the limitation about split-tunneling still valid? If yes, why it is not recommended?
Thanks!
EvaHi,
If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
Did this answer your question? If so, please mark it Answered! -
Remote Access VPN, no split tunneling, internet access. NAT translation problem
Hi everyone, I'm new to the forum. I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices. The configuration has been working without issues for the last couple years.
I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
I reviewed the new NAT rules for the VPN and found the culprit.
I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
Here are the NAT rules I have in place: (The "inactive" rule is the culprit. As soon as I enable this rule, the port forwarding hits a wall)
nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source dynamic VPN_Subnet interface inactive
object network obj_any
nat (inside,outside) dynamic interface
object network XXX_HTTP
nat (inside,outside) static interface service tcp www www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Any help would be appreciated.Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
With Regards,
Safwan -
VM with remote access VPN without split tunneling
Hello experts,
I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
My Question to Experts:
1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
Thanks for your help,
RaziDid you figure this out?
-
AnyConnecy VPN and Split-tunnel ACL - Strange...
Hi,
I have ACL as follows and applied on AnyConnect VPN group as split-tunel value ACL.
access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq www
access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq https
When I connected with AnyConnect client, I can ping to 192.168.200.63 and also telnet to port 80. However I can not telnet to port 443. Strange thing is I do not see any hits on above ACL, morever I'm wondering how cam the ICMP is working and why it does not stop on this ACL..?
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x78e03140, priority=11, domain=permit, deny=true
hits=113713, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
When I did the packet-tracer both ICMP and http it just drop on Phase 4..as bellow, I just want to know what this ACL and where its been applied to..?
What is the correct syntax for packet-tracer command when troubleshooting AnyConnect VPN to check access inside/dmz server..?
I have used as follows:
packet-tracer input outside icmp 172.16.1.1 0 8 192.168.200.63 details
Appreciate if someone can help me out on this..
thanksTo start with it is not ideal to configure a port based split tunnel. It is not support and will give you weird results like one you are experiencing. You should use standard access-list for the split tunnel and to restrict the users to the following port use vpn filter.
As far as packet tracer is concerned for the VPN client if you use the outside interface as source it will never work the reason is the connection between the ASA and the client is of real IP address (Public) and the traffic that you are testing with is a VPN encrypted traffic your ASA's outside interface doesn't know what is 172.16.1.1, he will check it against the outside access-list and will drop it.
So in your case i would strongly recommed that use standard access-list for the split tunnel and to restrict the user to specific port use vpn filter. Following are the links to configure the same:
Allow Split Tunnel for Anyconnect:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
Configure VPN filter (Its for site to site and remote access but it works the same for Anyconnect):
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
Thanks
Jeet Kumar -
AnyConnect SSL VPN Vista split-tunneling
I recently setup an ASA5510 with 8.0fw with the AnyConnect SSL VPN Client.
Connecting to the SSL VPN works perfectly from all the XP computers that I have tested from. No problems there. However when on Vista, split-tunneling does not seem to function properly. Everything connects and works fine, and I can get to the defined secured remote nets, however I can't access anything out my default gateway(un-secured traffic). It seems like it might be a problem with Vista security features. When I try to ping out to any outside host, I get:
PING: transmit failed, error code 1231.
I can actually ping my default gateway, but nothing gets routed past it without the above error. I've also confirmed this several Vista installations, with Administrator + UAC disabled. Anyone else?I have done the same testing, and on both Vista 32bit and 64Bit the split tunneling does not seem to work. Also I found that this is a "known" bug
From the Release Notes::
AnyConnect Split-tunneling Does Not Work on Windows Vista - AnyConnect split-tunneling works correctly with Windows XP and Windows 2000 (CSCsi82315)
I am happy that 64Bit works but will hold off on roll out until split-tunneling is fixed.
Cassidy -
Cisco 3745, VPN and Split Tunneling
I tried following the model here: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a008018914d.shtml
but after doing so, the situation was actually reversed. While connected to the vpn client you were able to browse the internet but not able to access vpn resources. I undid and redid the configuration several times to rule out keying in problems.
Can one help with this problem... If needed Ill post necessary configs from my router.. Thanks
(btw: do these froms have a search?)I am having the same problems with pix 501. With split tunnel, I get web but no lan access. Without split tunnel, full lan access, no web. My acl for the splitTunnel is:
permit ip host 192.168.1.0 any
Is this wrong? -
Is it possible to force some urls through the vpn using split tunneling?
Hi all,
just that. We have some urls accessible only from our office lan, and will be nice to allow the clients to split tunnel all but this specific urls.
Possible? Thanks in advance!Simon,
I was thinking that you were trying to reach a web server hosted on the LAN. I see now that you are trying to reach external sites that are only accessible from the LAN. I am not aware of any way to allow a partially split tunnel, if I find anything I will update.
- Marty -
Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access
Greetings,
I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
OR
Am I forced to put the ASA behind the filtering device somehow?Hi Jim,
You can use tunnel default route for vpn traffic:
ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
configure mode commands/options:
<1-255> Distance metric for this route, default is 1
track Install route depending on tracked item
tunneled Enable the default tunnel gateway option, metric is set to 255
This route is applicable for only vpn traffic.
HTH,
Shetty -
Mobile VPN Client - Received an error response fro...
Hi everybody, i am trying to establish a vpn connection to SecureKISS servers.
I tried different configurations without luck.
SECURITY_FILE_VERSION: 1
[INFO]
SecurityKISS
[POLICY]
sa CISCO_ASA_PSK = {
esp
encrypt_alg 3
max_encrypt_bits 128
auth_alg 2
identity_remote 0.0.0.0/0
src_specific
hard_lifetime_bytes 0
hard_lifetime_addtime 3600
hard_lifetime_usetime 3600
soft_lifetime_bytes 0
soft_lifetime_addtime 3600
soft_lifetime_usetime 3600
replay_win_len 0
remote 0.0.0.0 0.0.0.0 = { CISCO_ASA_PSK(31.24.33.221) }
inbound = { }
outbound = { }
[IKE]
ADDR: 31.24.33.221 255.255.255.255
IKE_VERSION: 1
MODE: Aggressive
REPLAY_STATUS: FALSE
USE_MODE_CFG: TRUE
IPSEC_EXPIRE: TRUE
USE_XAUTH: TRUE
USE_COMMIT: FALSE
ESP_UDP_PORT: 0
SEND_NOTIFICATION: TRUE
INITIAL_CONTACT: TRUE
USE_INTERNAL_ADDR: FALSE
DPD_HEARTBEAT: 90
NAT_KEEPALIVE: 60
REKEYING_THRESHOLD: 90
ID_TYPE: 11
FQDN: unive
PRESHARED_KEYS:
FORMAT: STRING_FORMAT
KEY: 12 KEY-REMOVED
USE_NAT_PROBE: FALSE
PROPOSALS: 1
ENC_ALG: 3DES-CBC
AUTH_METHOD: PRE-SHARED
HASH_ALG: MD5
GROUP_DESCRIPTION: MODP_1024
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 86400
PRF: NONE
It should ask for username and password but It doesn't happen.
In the logs there are some errors like this:
Received an error response from vpn gateway error code 29
and the last error is always like this one:
Error: Failed to activate VPN access point 'SecurityKISS', reason code -5258
that should stand for "IKE negotiation with gateway failed because there was no acceptable proposal".
So, what it's wrong in my configuration? There's someone able to help me with this configuration?
Best regards
Matteo.I moved futher with change of configuration on the router and no I get IP from virtual pool but unable to get any further as IPSEC does not negotiate.
My configuration is as following
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key aaabbb address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local vpn2
crypto isakmp client configuration group VPNCLIENTGROUP
key aaabbb
dns a.b.c.d
domain wr
pool vpn2
save-password
crypto isakmp profile VPNclient
description VPN clients profile
match identity group VPNCLIENTGROUP
match identity address 0.0.0.0
client authentication list userlist
isakmp authorization list groupauthor
client configuration address initiate
client configuration address respond
client configuration group VPNCLIENTGROUP
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto dynamic-map SDM_CMAP_1 99
set transform-set 3des
set isakmp-profile VPNclient
reverse-route
crypto map SDM_CMAP_1 99 ipsec-isakmp dynamic SDM_CMAP_1
When I run the debug on the router, I am getting IP address from the pool which actually also shows up on the phone (n85). It should that VPN is activated also on the phone followed by another message that it is deactivated. I used Nokia VPN Client policy tool to create the policy with following
IKEv1,3DES,MD5,
True = Responder lifetime, send certificate, IPsec expire, Replay status, Use mode config, Use commit bit, Xauth
False= Nat probe
IKE proposal = 3DES-CBC, MD5 -
RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities
For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode?
This is mostly a question, and partly "in use" observations.
Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel" mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode?
If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
Summary of VPN modes I've gotten to work with an RV220W:
Client
Split Tunnel Works?
Full Tunnel Works?
OS?
Notes
SSL VPN
Yes
Yes
Win7/64
IE10 or IE11
QuickVPN
Yes
No
Win7/64
IPSec VPN
Yes
No
Win7/64
Shrew Soft VPN ClientI have to mark this as not a correct answer.
Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
To Michal Bruncko who posted this:
1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way? -
RA VPN on ASA and Split Tunneling
Hello Forum,
I'm having an issue with RA VPN and split tunneling. Our company doesn't allow split tunneling.
I have the following....
ASA 5520 - ASA Version - 8.0(3)
Group Policies defined for different groups. My test group, I thought I disabled split tunneling but they are still able to surf the net.
For Split Tunneling Policy...
Inherit is unchecked
I have "Tunnel Network List Below"
Testing_splitTunnelAcl is my acl. I have a bunch of host IPs in the list. I don't have any or 0.0.0.0 in the list.
But they can still surf the net.
I would like to block access to net. No hairpinning or internet u-turns.
How do I do this?
Any help greatly appreciated.
Regards,What does your Testing_spliTunnelAcl have?
To disable split tunneling, your Testing_spliTunnelAcl should only have this...
access-list Testing_splitTunnelAcl standard permit any
...which means all traffic will be encrypted and will be sent to ASA no matter what. If you add any IP Address, only those traffic destined to the IP Address in the list will be encrypted and send to ASA, everything else will go to internet from the client.
It may be confusing but try and see what happens. -
Hi!
I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
ISP -> Firewall -> Core switch -> Internal LAN
after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
here's my configuration from my firewall.
ASA Version 8.6(1)2
hostname ciscofirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.152.11.15 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2 -------> public DNS
name-server 8.8.8.8 -------> public
name-server 203.x.x.x ----> Clients DNS
name-server 203.x.x.x -----> Clients DNS
same-security-traffic permit intra-interface
object network net_access
subnet 10.0.0.0 255.0.0.0
object network citrix_server
host 10.152.11.21
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network InterconHotel
subnet 10.152.11.0 255.255.255.0
access-list net_surf extended permit ip any any
access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
access-list outside_access extended permit tcp any object citrix_server eq www
access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
access-list LAN_Users remark LAN_clients
access-list LAN_Users standard permit any
access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
object network net_access
nat (inside,outside) dynamic interface
object network citrix_server
nat (inside,outside) static 203.177.18.234 service tcp www www
object network NETWORK_OBJ_10.10.10.0_28
nat (any,outside) dynamic interface
object network InterconHotel
nat (inside,outside) dynamic interface dns
access-group outside_access in interface outside
access-group net_surf out interface outside
route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.100 255.255.255.255 inside
http 10.10.10.0 255.255.255.240 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 10.152.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect-essentials
group-policy outsidevpn internal
group-policy outsidevpn attributes
dns-server value 203.x.x.x 203.x.x.x
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value outsidevpn_splitTunnelAcl
default-domain value interconti.com
address-pools value vpnpool
username test1 password i1lji/GiOWB67bAs encrypted privilege 5
username test1 attributes
vpn-group-policy outsidevpn
username mnlha password WlzjmENGEEZmT9LA encrypted
username mnlha attributes
vpn-group-policy outsidevpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group outsidevpn type remote-access
tunnel-group outsidevpn general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy outsidevpn
tunnel-group outsidevpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
inspect ipsec-pass-thru
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
: end
thanks. please help.I think you should change your nat-exemption rule to smth more general, like
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
'cause your inside networks are not the same as your vpn-pool subnet.
Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA. -
VPN Clients getting different default gateways
Hello,
We have a new Cisco ASA 5520 and are trying to setup the VPN with split tunneling. We mostly have clients running XP and the problem is that some of the clients connect (using Cisco Anyconnect 2.5) and the split tunneling works as expected --these clients keep their default gateway-- and then some clients connect and get a default gateway of 192.168.119.1 (our VPN addresses subnet) and of course these users cannot connect to the internet while connected to the VPN.
Here is our config:
ASA Version 9.1(1)
hostname xxxxxx
names
name 178.239.80.0 Deny178.239.80.0 description 178.239.80.0
name 74.82.64.0 Deny74.82.64.0 description 74.82.64.0
name 173.247.32.0 Deny173.247.32.0 description 173.247.32.0
name 193.109.81.0 Deny193.109.81.0 description 193.109.81.0
name 204.187.87.0 Deny204.187.87.0 description 204.187.87.0
name 206.51.26.0 Deny206.51.26.0 description 206.51.26.0
name 206.53.144.0 Deny206.53.144.0 description 206.53.144.0
name 67.223.64.0 Deny67.223.64.0 description 67.223.64.0
name 93.186.16.0 Deny93.186.16.0 description 93.186.16.0
name 216.9.240.0 Deny216.9.240.0 description 216.9.240.0
name 68.171.224.0 Deny68.171.224.0 description 68.171.224.0
ip local pool PAIUSERS 192.168.119.10-192.168.119.100 mask 255.255.255.0
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 63.86.112.194 255.255.255.192
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.129.5 255.255.255.192
interface GigabitEthernet0/2
nameif dmz
security-level 10
ip address 192.168.20.10 255.255.255.0
interface GigabitEthernet0/3
nameif vpn_dmz
security-level 25
ip address 192.168.30.10 255.255.255.0
interface Management0/0
management-only
shutdown
nameif management
security-level 100
ip address 192.168.102.4 255.255.255.0
object network obj-192.168.119.0
subnet 192.168.119.0 255.255.255.0
access-list outside_access_in extended permit ip host 192.168.119.11 host 192.168.35.23
access-list outside_access_in extended permit object-group TCPUDP any4 object-group DM_INLINE_NETWORK_3 object-group UDP_TCP_Domain inactive
access-list outside_access_in extended permit udp any4 object obj-192.168.30.11 eq isakmp
access-list outside_access_in extended permit ip any4 object obj-192.168.30.11
access-list outside_access_in extended permit udp any4 object obj-192.168.30.11 object-group UDP10000
access-list outside_access_in extended permit udp any4 object-group DM_INLINE_NETWORK_7 eq domain inactive
access-list outside_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_8 eq domain inactive
access-list outside_access_in extended permit tcp host 216.81.43.190 host 192.168.35.30 eq ssh inactive
access-list outside_access_in extended permit tcp host 216.81.43.190 object obj-192.168.35.30 object-group DM_INLINE_TCP_6 inactive
access-list outside_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_9 eq www inactive
access-list outside_access_in extended permit tcp any4 object obj-192.168.30.11 eq www
access-list outside_access_in extended permit esp any4 object obj-192.168.30.11
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.41 eq www
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.41 eq https
access-list outside_access_in extended permit tcp any4 host 192.168.35.34 eq https
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.30 object-group Ports_UDpTCP
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.30 object-group DM_INLINE_TCP_7
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.30 eq ftp
access-list outside_access_in extended permit object-group TCPUDP any4 host 63.86.112.248
access-list outside_access_in extended permit udp any4 host 162.95.80.115 eq isakmp
access-list outside_access_in extended permit tcp any4 host 162.95.80.115 object-group Ports_115
access-list outside_access_in extended permit udp any4 host 162.95.80.115 object-group Ports_2746_259
access-list outside_access_in extended permit object-group TCPUDP any4 host 63.86.112.245 object-group Service_Group_245 inactive
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.40 object-group UDP_TCP_Domain
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.40 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any4 object obj-192.168.129.11 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.129.11 object-group UDP_TCP_Domain
access-list outside_access_in extended permit tcp any4 object obj-192.168.129.11 object-group Network_Service_2703_6277
access-list outside_access_in extended permit udp any4 object obj-192.168.129.11 object-group UDP_443
access-list outside_access_in extended permit ip any4 host 192.168.101.75 inactive
access-list outside_access_in extended permit tcp any4 host 64.78.239.50 eq www
access-list outside_access_in extended permit tcp any4 host 64.78.239.54 object-group TCP_4445
access-list outside_access_in extended permit icmp any4 any4
access-list outside_access_in extended permit udp any4 object obj-192.168.35.40 object-group UDP_443
access-list outside_access_in extended permit tcp any4 host 63.86.112.204 object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit tcp any4 host 63.86.112.204
access-list outside_access_in extended permit udp any4 host 63.86.112.204
access-list outside_access_in extended permit object-group TCPUDP any4 host 192.168.102.12 object-group Network_Server_1194
access-list outside_access_in extended permit tcp any4 host 192.168.102.12 eq www
access-list outside_access_in extended permit tcp any4 host 192.168.102.12 eq https
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.41 object-group Network_Server_1194
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.12 eq www
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.12 object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any4 host 63.86.112.193 object-group Network_Service_TCP_1194
access-list outside_access_in extended deny tcp object Deny206.51.26.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny193.109.81.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny204.187.87.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny206.53.144.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny216.9.240.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny67.223.64.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny93.186.16.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny68.171.224.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny74.82.64.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny178.239.80.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny173.247.32.0 object obj-192.168.35.40 eq https
access-list vpn_dmz_access_in extended permit ip host 192.168.35.23 192.168.119.0 255.255.255.0
access-list vpn_dmz_access_in extended permit gre host 192.168.30.11 any4
access-list vpn_dmz_access_in extended permit tcp any4 host 23.0.214.60 eq https
access-list vpn_dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_28 any4
access-list vpn_dmz_access_in extended permit tcp any4 object obj-192.168.35.105 object-group DM_INLINE_TCP_4
access-list vpn_dmz_access_in extended permit esp any4 object obj-192.168.35.105
access-list vpn_dmz_access_in extended permit tcp any4 object obj-192.168.35.105
access-list vpn_dmz_access_in extended permit icmp any4 object obj-192.168.35.105
access-list vpn_dmz_access_in extended permit tcp any4 host 192.168.129.11
access-list vpn_dmz_access_in remark RDP
access-list vpn_dmz_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq 3389
access-list vpn_dmz_access_in extended permit icmp any4 object obj-192.168.35.23
access-list inside_nat0_outbound extended permit ip any4 192.168.119.0 255.255.255.0
access-list ftp-timeout extended permit tcp host 216.81.43.190 host 63.86.112.248
access-list ftp-timeout extended permit tcp host 63.86.112.248 host 216.81.43.190
access-list ftp-timeout extended permit tcp host 192.168.35.30 host 216.81.43.190
access-list ftp-timeout extended permit tcp host 216.81.43.190 host 192.168.35.30
access-list Split_Tunnel_List remark northwoods
access-list Split_Tunnel_List standard permit host 192.168.35.23
access-list Split_Tunnel_List remark paits2
access-list Split_Tunnel_List standard permit host 192.168.35.198
access-list Split_Tunnel_List standard deny 192.168.102.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list IS_Split_Tunnel standard permit 192.168.102.0 255.255.255.0
access-list IS_Split_Tunnel standard permit 192.168.82.0 255.255.255.0
access-list IS_Split_Tunnel standard permit 192.168.35.0 255.255.255.0
nat (inside,outside) source static object-192.168.35.0 object-192.168.35.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.82.0 obj-192.168.82.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.102.0 obj-192.168.102.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
webvpn
enable outside
enable inside
enable dmz
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect profiles pairemoteuser disk0:/pairemoteuser.xml
anyconnect enable
tunnel-group-list enable
group-policy PAIGroup internal
group-policy PAIGroup attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value PAI
group-policy PAIUSERS internal
group-policy PAIUSERS attributes
wins-server value 192.168.35.57
dns-server value 192.168.35.57
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain none
webvpn
anyconnect firewall-rule client-interface private value vpn_dmz_access_in
anyconnect profiles value pairemoteuser type user
group-policy PAIIS internal
group-policy PAIIS attributes
wins-server value 192.168.35.57
dns-server value 192.168.35.57
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IS_Split_Tunnel
default-domain none
webvpn
anyconnect firewall-rule client-interface private value vpn_dmz_access_in
anyconnect profiles value pairemoteuser type user
group-policy DfltGrpPolicy attributes
banner value Welcome to PAI
wins-server value 192.168.35.57
dns-server value 192.168.35.57
address-pools value PAIUSERS
webvpn
anyconnect firewall-rule client-interface public none
anyconnect firewall-rule client-interface private value vpn_dmz_access_in
anyconnect ask enable default anyconnect timeout 5
group-policy Anyconnect internal
: endCheck is the users fall into DfltGrpPolicy because it has no split tunneling active.
Michael
Please rate all helpful posts
Maybe you are looking for
-
SAPSQL_INVALID_FIELDNAM
Hi All, At the time of attaching the FG to the sales order we are experiencing the following error with short. <b>What happened?</b> Error in ABAP application program. The current ABAP program "SAPLV61Z" had to be terminated because one of th
-
How to code the ejbCreate() method without initailizing primary key?
Hi all, I've just started learning about EJBs, and now am at the stage of learning how to create, deploy and test a CMP Entity Bean. Ran into a problem which I'm hoping someone can help out with. I'm using SQL Server 2000 as my backend database, and
-
Copying filenames with invalid characters in OSX
I'd like to copy some folders for back up to an external hard disk from the internal hard disk on my G4. Problem is that some of the folders contain files were created in OS 9 and their filenames contain "/" symbols which apparently are not acceptabl
-
Missing java files in the mxmlc compiler svn
import flex2.compiler.mxml.Parser; import flex2.compiler.mxml.ParserConstants; import flex2.compiler.mxml.Token; import flex2.compiler.mxml.TokenManager; the files in the package flex2.compiler.mxml in the url ,the mxmlc compiler svn seems to be mis
-
CS6.5 photoshop file doesn't center on screen. How can I do this?
I have used various options under windows, tried reducing the size of the file and saving it in .jpeg instead of other formats. The image either floats off the bottom of the screen completely or leaves a peak at the top portion. I need it to center s