Remote Access VPN, no split tunneling, internet access. NAT translation problem

Similar Messages

• VM with remote access VPN without split tunneling

  Hello experts,
  I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network  to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
  My Question to Experts:
  1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
  2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
  Thanks for your help,
  Razi                

  Did you figure this out?

• Help with Easy VPN client split tunneling.

  Can someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
  Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
  I created an object-group and access list with the hosts I want to route thou the VPN :-
  object-group network VNPCLIENTS
  description HOSTS ALLOWED ACCESS TO THE VPN
  host 192.168.3.204
  host 192.168.3.42
  host 192.168.3.44
  host 192.168.3.202
  host 192.168.3.43
  access-list 1 remark Internet access list
  access-list 1 permit 192.168.3.0 0.0.0.255
  access-list 101 remark Hosts allowed access to VPN
  access-list 101 permit ip object-group VNPCLIENTS any
  access-list 111 permit udp any any eq 3074
  access-list 111 permit tcp any any eq 3074
  access-list 111 permit udp any any eq 88
  I Then applied the access list to the Virtual interface of the VPN in both directions:-
  interface Virtual-Template1 type tunnel
  no ip address
  ip access-group 101 in
  ip access-group 101 out
  tunnel mode ipsec ipv4
  Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
  I must be doing something very wrong. Much appreciate any help.
  Thanks
  Gordon

  Can someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
  Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
  I created an object-group and access list with the hosts I want to route thou the VPN :-
  object-group network VNPCLIENTS
  description HOSTS ALLOWED ACCESS TO THE VPN
  host 192.168.3.204
  host 192.168.3.42
  host 192.168.3.44
  host 192.168.3.202
  host 192.168.3.43
  access-list 1 remark Internet access list
  access-list 1 permit 192.168.3.0 0.0.0.255
  access-list 101 remark Hosts allowed access to VPN
  access-list 101 permit ip object-group VNPCLIENTS any
  access-list 111 permit udp any any eq 3074
  access-list 111 permit tcp any any eq 3074
  access-list 111 permit udp any any eq 88
  I Then applied the access list to the Virtual interface of the VPN in both directions:-
  interface Virtual-Template1 type tunnel
  no ip address
  ip access-group 101 in
  ip access-group 101 out
  tunnel mode ipsec ipv4
  Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
  I must be doing something very wrong. Much appreciate any help.
  Thanks
  Gordon

• Cisco 3745, VPN and Split Tunneling

  I tried following the model here: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a008018914d.shtml
  but after doing so, the situation was actually reversed. While connected to the vpn client you were able to browse the internet but not able to access vpn resources. I undid and redid the configuration several times to rule out keying in problems.
  Can one help with this problem... If needed Ill post necessary configs from my router.. Thanks
  (btw: do these froms have a search?)

  I am having the same problems with pix 501. With split tunnel, I get web but no lan access. Without split tunnel, full lan access, no web. My acl for the splitTunnel is:
  permit ip host 192.168.1.0 any
  Is this wrong?

• Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access

  Greetings,
  I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
  Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
  OR 
  Am I forced to put the ASA behind the filtering device somehow?

  Hi Jim,
  You can use tunnel default route for vpn traffic:
  ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
  configure mode commands/options:
    <1-255>   Distance metric for this route, default is 1
    track     Install route depending on tracked item
    tunneled  Enable the default tunnel gateway option, metric is set to 255
  This route is applicable for only vpn traffic.
  HTH,
  Shetty

• VPN client unable to access Internert via split tunneling.

  I have split tunneling configured on a PIX 515. The remote VPN client connects to the PIX fine and can ping hosts on the internal LAN, but cannot access the Internet. Am I missing something? My config as per below.
  Also, I don't see any secured routes on the VPN client via Statistics (screen shot below)
  Any advice is much appreciated.
  Rob
  PIX Version 8.0(3)
  hostname PIX-A-250
  enable password xxxxx encrypted
  names
  interface Ethernet0
  nameif outside
  security-level 0
  ip address x.x.x.250 255.255.255.240
  interface Ethernet1
  nameif inside
  security-level 100
  ip address 192.168.9.1 255.255.255.0
  passwd xxxxx encrypted
  ftp mode passive
  dns domain-lookup outside
  dns server-group Ext_DNS
  name-server 194.72.6.57
  name-server 194.73.82.242
  object-group network LOCAL_LAN
  network-object 192.168.9.0 255.255.255.0
  network-object 192.168.88.0 255.255.255.0
  object-group service Internet_Services tcp
  port-object eq www
  port-object eq domain
  port-object eq https
  port-object eq ftp
  port-object eq 8080
  port-object eq telnet
  object-group network WAN_Network
  network-object 192.168.200.0 255.255.255.0
  access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log
  access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log
  access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log
  access-list ACLIN extended permit icmp any any echo-reply log
  access-list ACLIN extended permit icmp any any unreachable log
  access-list ACLIN extended permit icmp any any time-exceeded log
  access-list split_tunnel_list remark Local LAN
  access-list split_tunnel_list standard permit 192.168.9.0 255.255.255.0
  access-list NONAT extended permit ip object-group LOCAL_LAN 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  mtu outside 1500
  mtu inside 1500
  ip local pool testvpn 192.168.100.1-192.168.100.99
  no failover  
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group ACLIN in interface outside
  access-group ACLOUT in interface inside
  route outside 0.0.0.0 0.0.0.0 195.171.252.45 1
  route inside 192.168.88.0 255.255.255.0 192.168.88.254 1
  route inside 192.168.199.0 255.255.255.0 192.168.199.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 10 set transform-set Set_1
  crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 280000
  crypto dynamic-map outside_dyn_map 10 set reverse-route
  crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha    
  group 2     
  lifetime 43200
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha    
  group 2     
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  group-policy testvpn internal
  group-policy testvpn attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  username testuser password xxxxxx encrypted
  tunnel-group testvpn type remote-access
  tunnel-group testvpn general-attributes
  address-pool testvpn
  default-group-policy testvpn
  tunnel-group testvpn ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:5dcb5dcdff277e1765a9a0c366b88b9e
  : end
  PIX-A-250#

  Hello Jennifer,
  I can ping the 192.168.88.0/24 (host 88.3) from my PIX fine. The 88 subnet hangs off a 2950 switch. This is my diagram.
  My configs are as follows. Please note I have left out the suggested lines of config from above as they had no effect.
  Very much appreciate your time and effort with my issue.
  Many thanks,
  Rob
  PIX A
  PIX Version 8.0(3)
  hostname PIX-A-250
  enable password NBhgOL6eDYkO4RHk encrypted
  names
  interface Ethernet0
  nameif outside
  security-level 0
  ip address x.x.x.250 255.255.255.240
  interface Ethernet1
  nameif inside
  security-level 100
  ip address 192.168.9.1 255.255.255.0
  passwd k85be8tPM1XyMs encrypted
  ftp mode passive
  dns domain-lookup outside
  dns server-group Ext_DNS
  name-server 194.72.6.57
  name-server 194.73.82.242
  object-group network LOCAL_LAN
  network-object 192.168.9.0 255.255.255.0
  network-object 192.168.88.0 255.255.255.0
  object-group service Internet_Services tcp
  port-object eq www
  port-object eq domain
  port-object eq https
  port-object eq ftp
  port-object eq 8080
  port-object eq telnet
  object-group network WAN_Network
  network-object 192.168.200.0 255.255.255.0
  access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log
  access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log
  access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log
  access-list ACLIN extended permit icmp any any echo-reply log
  access-list ACLIN extended permit icmp any any unreachable log
  access-list ACLIN extended permit icmp any any time-exceeded log
  access-list split_tunnel_list remark Local LAN
  access-list split_tunnel_list standard permit 192.168.9.0 255.255.255.0
  access-list split_tunnel_list standard permit 192.168.88.0 255.255.255.0
  access-list split_tunnel_list standard permit 192.168.200.0 255.255.255.0
  access-list NONAT extended permit ip object-group LOCAL_LAN 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  mtu outside 1500
  mtu inside 1500
  ip local pool testvpn 192.168.100.1-192.168.100.99
  no failover  
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group ACLIN in interface outside
  access-group ACLOUT in interface inside
  route outside 0.0.0.0 0.0.0.0 x.x.252.45 1
  route inside 192.168.88.0 255.255.255.0 192.168.88.254 1
  route inside 192.168.199.0 255.255.255.0 192.168.199.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 10 set transform-set Set_1
  crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 280000
  crypto dynamic-map outside_dyn_map 10 set reverse-route
  crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha    
  group 2     
  lifetime 43200
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha    
  group 2     
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  group-policy testvpn internal
  group-policy testvpn attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split_tunnel_list
  username robbie password mbztSskhuas90P encrypted
  tunnel-group testvpn type remote-access
  tunnel-group testvpn general-attributes
  address-pool testvpn
  default-group-policy testvpn
  tunnel-group testvpn ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:5dcb5dcdff277e1765a9a0c366b88b9e
  : end
  3560_GW Gateway
  test_gw01#sh run
  Building configuration...
  Current configuration : 2221 bytes
  version 12.2
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname test_gw01
  enable secret 5 $1$cOB4$UDjkhs&$FjQBe8/rc30
  no aaa new-model
  system mtu routing 1500
  ip subnet-zero
  ip routing
  no file verify auto
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface GigabitEthernet0/1
  interface GigabitEthernet0/2
  description uplink to Cisco_PIX
  switchport access vlan 9
  interface GigabitEthernet0/3
  interface GigabitEthernet0/4
  interface GigabitEthernet0/5
  interface GigabitEthernet0/6
  interface GigabitEthernet0/7
  interface GigabitEthernet0/8
  interface GigabitEthernet0/9
  interface GigabitEthernet0/10
  interface GigabitEthernet0/11
  interface GigabitEthernet0/12
  interface GigabitEthernet0/13
  interface GigabitEthernet0/14
  interface GigabitEthernet0/15
  interface GigabitEthernet0/16
  interface GigabitEthernet0/17
  interface GigabitEthernet0/18
  interface GigabitEthernet0/19
  interface GigabitEthernet0/20
  interface GigabitEthernet0/21
  interface GigabitEthernet0/22
  interface GigabitEthernet0/23
  switchport access vlan 88
  switchport mode access
  spanning-tree portfast
  interface GigabitEthernet0/24
  switchport access vlan 9
  switchport mode access
  spanning-tree portfast
  interface GigabitEthernet0/25
  description trunk to 2950_SW_A port 1
  switchport trunk encapsulation dot1q
  interface GigabitEthernet0/26
  interface GigabitEthernet0/27
  description trunk to A_2950_112 port 1
  switchport trunk encapsulation dot1q
  shutdown
  interface GigabitEthernet0/28
  interface Vlan1
  no ip address
  shutdown
  interface Vlan9
    ip address 192.168.9.2 255.255.255.0
  interface Vlan88
  ip address 192.168.88.254 255.255.255.0
  interface Vlan199
  ip address 192.168.199.254 255.255.255.0
  ip classless
  ip route 0.0.0.0 0.0.0.0 192.168.9.1
  ip route 192.168.88.0 255.255.255.0 192.168.9.1
  ip route 192.168.100.0 255.255.255.0 192.168.9.1
  ip route 192.168.200.0 255.255.255.0 192.168.9.1
  ip http server
  control-plane
  banner motd ^C This is a private network.^C
  line con 0
  line vty 0 4
  login
  line vty 5 15
  login   
  end      

• Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

  I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface.   The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ.   Without the client connected, they access the web servers via the external public IP.  Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address. 
  Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.  
  I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

  Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface. 
  Share the configuration if you want help with the NAT exemption part.

• Remote access VPN client gets connected no access to LAN

  : Saved
  ASA Version 8.6(1)2
  hostname COL-ASA-01
  domain-name dr.test.net
  enable password i/RAo1iZPOnp/BK7 encrypted
  passwd i/RAo1iZPOnp/BK7 encrypted
  names
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 172.32.0.11 255.255.255.0
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 192.9.200.126 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  nameif failover
  security-level 0
  ip address 192.168.168.1 255.255.255.0 standby 192.168.168.2
  interface Management0/0
  nameif management
  security-level 0
  ip address 192.168.2.11 255.255.255.0
  ftp mode passive
  dns server-group DefaultDNS
  domain-name dr.test.net
  object network RAVPN
  subnet 192.168.0.0 255.255.255.0
  object network NETWORK_OBJ_192.168.200.0_24
  subnet 192.168.200.0 255.255.255.0
  object network NETWORK_OBJ_192.9.200.0_24
  subnet 192.9.200.0 255.255.255.0
  object-group network inside_network
  network-object 192.9.200.0 255.255.255.0
  object-group network Outside
  network-object host 172.32.0.25
  access-list RAVPN_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0
  access-list test123 extended permit ip host 192.168.200.1 host 192.9.200.190
  access-list test123 extended permit ip host 192.9.200.190 host 192.168.200.1
  access-list test123 extended permit ip object NETWORK_OBJ_192.168.200.0_24 192.9.200.0 255.255.255.0
  access-list test123 extended permit ip 192.9.200.0 255.255.255.0 object NETWORK_OBJ_192.9.200.0_24
  pager lines 24
  mtu management 1500
  mtu outside 1500
  mtu inside 1500
  mtu failover 1500
  ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-66114.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic any interface
  nat (any,inside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24
  route outside 0.0.0.0 0.0.0.0 172.32.0.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment terminal
  subject-name CN=KWI-COL-ASA-01.dr.test.net,O=KWI,C=US
  crl configure
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.9.200.0 255.255.255.0 inside
  telnet timeout 30
  ssh 0.0.0.0 0.0.0.0 management
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 66.35.45.128 255.255.255.192 outside
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 30
  ssh version 2
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  group-policy RAVPN internal
  group-policy RAVPN attributes
  wins-server value 192.9.200.164
  dns-server value 66.35.46.84 66.35.47.12
  vpn-filter value test123
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value test123
  default-domain value dr.kligerweiss.net
  username test password xxxxxxx encrypted
  username admin password aaaaaaaaaaaa encrypted privilege 15
  username vpntest password ddddddddddd encrypted
  tunnel-group RAVPN type remote-access
  tunnel-group RAVPN general-attributes
  address-pool RAVPN
  default-group-policy RAVPN
  tunnel-group RAVPN ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly 2
    subscribe-to-alert-group configuration periodic monthly 2
    subscribe-to-alert-group telemetry periodic daily
  password encryption aes
  Cryptochecksum:b001e526a239af2c73fa56f3ca7667ea
  : end
  COL-ASA-01#
  Here is some capture done on the inside interface which may help too, I tried pointing the gateway to inside interface on the target device but I think this was a switch without ip route available on it I believe that is still sending packet back to Cisco inside interface
  COL-ASA-01# sho cap test | in 192.168.200
  25: 23:45:55.570618 192.168.200.1 > 192.9.200.190: icmp: echo request
    29: 23:45:56.582794 192.168.200.1.137 > 192.9.200.164.137:  udp 68
    38: 23:45:58.081050 192.168.200.1.137 > 192.9.200.164.137:  udp 68
    56: 23:45:59.583176 192.168.200.1.137 > 192.9.200.164.137:  udp 68
    69: 23:46:00.573517 192.168.200.1 > 192.9.200.190: icmp: echo request
    98: 23:46:05.578110 192.168.200.1 > 192.9.200.190: icmp: echo request
    99: 23:46:05.590057 192.168.200.1.137 > 192.9.200.164.137:  udp 68
  108: 23:46:07.092310 192.168.200.1.137 > 192.9.200.164.137:  udp 68
  115: 23:46:08.592468 192.168.200.1.137 > 192.9.200.164.137:  udp 68
  116: 23:46:10.580795 192.168.200.1 > 192.9.200.190: icmp: echo request
  COL-ASA-01#
  Any help or pointers greatly appreciated, I am doing this config after a long gap on Cisco last time I was working it was all PIX so just need some expert eyes to let me know if I am missing something.
  And Yes I do not have a Host in Inside network to test against, all I have is a switch which cannot route and ip default gateway is not helping too...

  Hi,
  The first thing you should do to avoid problems is to change the VPN Pool to something else than the current LAN network as they are not really directly connected in the same network segment.
  You could try the following changes
  tunnel-group RAVPN general-attributes
    no address-pool RAVPN
  no ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0
  ip local pool RAVPN 192.168.201.1-192.168.201.254 mask 255.255.255.0
  tunnel-group RAVPN general-attributes
    address-pool RAVPN
  no nat  (any,inside) source static NETWORK_OBJ_192.168.200.0_24  NETWORK_OBJ_192.168.200.0_24 destination static  NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24
  In the above you first remove the VPN Pool from the "tunnel-group" and then remove and recreate the VPN Pool with another network and then insert it back to the same "tunnel-group". Nex you remove the current NAT configuration.
  object network LAN
  subnet 192.168.200.0 255.255.255.0
  object network VPN-POOL
  subnet 192.168.201.0 255.255.255.0
  nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL
  The above NAT configurations adds the correct NAT0 configuration for the changed VPN Pool. It also inserts the NAT rule to the very top before the Dynamic PAT rule you currently have. It is also one of the problems with the configurations as it will override your current NAT configurations.
  You have your Dynamic PAT rule at the very top of your NAT rules currently which is not a good idea. If you wish to change it to something else that wont override the other NAT configurations in the future you can do the following change.
  no nat (inside,outside) source dynamic any interface
  nat (inside,outside) after-auto source dynamic any interface
  NOTICE! Changing the above Dynamic PAT configuration will temporarily terminate all connections for users from the LAN as you reconfigure the Dynamic PAT rule. So if you do this change make sure that its ok to cause still small cut in the current connections of internal users
  Hope this helps
  Let me know if it works for you
  - Jouni

• IP Phone SSL VPN and Split tunneling

  Hi Team,
  I went throught the following document which is very useful:
  https://supportforums.cisco.com/docs/DOC-9124
  The only things i'm not sure about split-tunneling point:
  Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  I could see many implementation when they used split-tunneling, like one of my customer:
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  banner value This system is only for Authorized users.
  dns-server value 10.64.10.13 10.64.10.14
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value prod.mobily.lan
  address-pools value SSLClientPool
  webvpn
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask none default anyconnect
  username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
  username manager-max attributes
  vpn-group-policy GroupPolicy1
  tunnel-group PhoneVPN type remote-access
  tunnel-group PhoneVPN general-attributes
  address-pool SSLClientPool
  authentication-server-group AD
  default-group-policy GroupPolicy1
  tunnel-group PhoneVPN webvpn-attributes
  group-url https://84.23.107.10 enable
  ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
  access-list split-tunnel remark split-tunnel network list
  access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
  It is working for them w/o any issue.
  My question would be
  - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
  Thanks!
  Eva

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• Nokia mobile VPN Client - split tunneling

  Hi
  I'm trying to get Nokia mobile CPN Client working with split tunneling on a Cisco firewall.
  I have full access to all on my internal lan's when I make the VPN tunnel, so tunnel is up and working.
  But I do not have access to anything in the internet, it tries to route internet requests through the VPN. I have set split tunneling on the Cisco firewall and it is working as intended on all other devices.
  Any ideas of what I have missed?
  My policy is based on the bundled Cisco_ASA_pskxauth.pol from the Nokia mobile VPN Client Policy Tool.
  tsfts

  Hi vgta2k:
  Nokia 5530 XpressMusic is S60 5th edition phone.
  http://www.forum.nokia.com/Devices/Device_specific​ations/5530_XpressMusic/
  It runs different version of Nokia Mobile VPN client than Symbian^3. You can find the correct version at the download page:
  http://europe.nokia.com/support/download-software/​nokia-mobile-vpn/compatibility-and-download
  Just use the device selector and pick your phone.
  You can also find Nokia Mobile VPN Client nowadays at Ovi Store.
  Thanks,
  Ismo

• AnyConnecy VPN and Split-tunnel ACL - Strange...

  Hi,
  I have ACL as follows and applied on AnyConnect VPN group as split-tunel value ACL.
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq www
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq https
  When I connected with AnyConnect client, I can ping to 192.168.200.63 and also telnet to port 80. However I can not telnet to port 443. Strange thing is I do not see any hits on above ACL, morever I'm wondering how cam the ICMP is working and why it does not stop on this ACL..?
  Phase: 4
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x78e03140, priority=11, domain=permit, deny=true
          hits=113713, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
          input_ifc=outside, output_ifc=any
  When I did the packet-tracer both ICMP and http it just drop on Phase 4..as bellow, I just want to know what this ACL and where its been applied to..?
  What is the correct syntax for packet-tracer command when troubleshooting AnyConnect VPN to check access inside/dmz server..?
  I have used as follows:
  packet-tracer input outside icmp 172.16.1.1 0 8 192.168.200.63 details
  Appreciate if someone can help me out on this..
  thanks

  To start with it is not ideal to configure a port based split tunnel. It is not support and will give you weird results like one you are experiencing. You should use standard access-list for the split tunnel and to restrict the users to the following port use vpn filter.
  As far as packet tracer is concerned for the VPN client if you use the outside interface as source it will never work the reason is the connection between the ASA and the client is of real IP address (Public) and the traffic that you are testing with is a VPN encrypted traffic your ASA's outside interface doesn't know what is 172.16.1.1, he will check it against the outside access-list and will drop it.
  So in your case i would strongly recommed that use standard access-list for the split tunnel and to restrict the user to specific port use vpn filter. Following are the links to configure the same:
  Allow Split Tunnel for Anyconnect:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
  Configure VPN filter (Its for site to site and remote access but it works the same for Anyconnect):
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
  Thanks
  Jeet Kumar

• AnyConnect SSL VPN Vista split-tunneling

  I recently setup an ASA5510 with 8.0fw with the AnyConnect SSL VPN Client.
  Connecting to the SSL VPN works perfectly from all the XP computers that I have tested from. No problems there. However when on Vista, split-tunneling does not seem to function properly. Everything connects and works fine, and I can get to the defined secured remote nets, however I can't access anything out my default gateway(un-secured traffic). It seems like it might be a problem with Vista security features. When I try to ping out to any outside host, I get:
  PING: transmit failed, error code 1231.
  I can actually ping my default gateway, but nothing gets routed past it without the above error. I've also confirmed this several Vista installations, with Administrator + UAC disabled. Anyone else?

  I have done the same testing, and on both Vista 32bit and 64Bit the split tunneling does not seem to work. Also I found that this is a "known" bug
  From the Release Notes::
  AnyConnect Split-tunneling Does Not Work on Windows Vista - AnyConnect split-tunneling works correctly with Windows XP and Windows 2000 (CSCsi82315)
  I am happy that 64Bit works but will hold off on roll out until split-tunneling is fixed.
  Cassidy

• Is it possible to force some urls through the vpn using split tunneling?

  Hi all,
  just that. We have some urls accessible only from our office lan, and will be nice to allow the clients to split tunnel all but this specific urls.
  Possible? Thanks in advance!

  Simon,
  I was thinking that you were trying to reach a web server hosted on the LAN. I see now that you are trying to reach external sites that are only accessible from the LAN. I am not aware of any way to allow a partially split tunnel, if I find anything I will update.
  - Marty

• Remote access VPN clients connected to Internet from VPN

  Greetings,
  I need to let remote VPN clients to connect to Internet from the same ASA VPN server
  " client connects to ASA through VPN tunnel from outside interface then access Internet from the same ASA from outside interface again
  thanks

  you'll need to configure 'same-security-traffic permit intra-interface' on the ASA .
  Also, need to setup the corresponding nat statements for your clients pool range.
  i.e.
  global (outside) 1 interface
  nat (outside) 1 access-list anyconnectacl
  where anyconnectacl is the pool for your clients:
  access-list anyconnectacl permit ip 172.16.1.0 255.255.255.0 any

• I have a problem with iCloud - i have great internet access at work, but slow internet access at home (less than 1MB/PS) and I use the full range of iCloud syncing facilities. How can i make my devices ONLY sync at work.. and not at home??

  As stated above, if i go out during the day, buy an app, download a song and take 20 photo's when i get home my devices will all take 30mins to sync before i can even browse websites or check my facebook at home.
  Can i set up my iCloud to only sync when i am on my work Wi-fi...?

  Welcome to the Apple Community.
  Not unless you stop it connecting to wifi at home.