SonicWall Global VPN Client and Split tunneling

Hello All,
I searched Google and the forums here and can't find someone with the same problem.
Lets start at the beginning-Just started this job a couple months ago and people brought to my attention immediately an issue while they were on the VPN they could not get to the internet.  I know about the different security risks but we have multiple field reps that need internet access while using our CRM program.  So I setup Split Tunneling on the Sonicwall. Tested and works fine on my home PC using a WRT54GS Ver 2.1 and the SonicWall Global VPN Client.
So I was sure everything was fine until I just sent out 2 laptops to 2 different sales reps and they are both having the same issue.  They can get into the internal network but can't access the internet.  They are both on WRT54G (different Vers.).  I tested the VPN client on both laptops with tethering on my cell phone and the split tunneling works. I have tried updating firmware thinking that was the issue.  I also tried to put their home network on a different subnet.  All with no joy.  I was wondering if anyone ever ran into something like this or have any clues what to try next. 
-Thank You in advance for your time.
Message Edited by Chris_F on 01-11-2010 07:41 AM
Chris F.
CCENT, CCNA, CCNA Sec

Of course, you do as you are told. But I hope you keep written record of what you have been told and have it signed of whoever told you to set it up. It's essential that you stay on the safe side in these matters.
I have read of too many cases where the system/security admin did not do so and in the end was held responsible for security incidents simply because he was told to do something to jeopardize security of the network. Remember, that usually the person who tells you do to so has no idea about the full security implication of a decision.
Thus, I highly recommend to require your road staff to connect with no split tunneling. Refuse to do otherwise unless you have it in writing and you won't be held reliable in any way if something happens because of it.
Just think what happens if the whole customer database gets stolen because of one of the remote sales reps... There is a reason why you apply this web site blocking on your firewalls and there is absolutely no reason that would justify why your remote sale reps don't go through the very same firewall while accessing company-sensitive data in your CRM.
So put that straight with whoever told you to do otherwise and if you they still want to continue anyway get it in writing. Once you ask for the statement in writing many decision-makers come to their senses and let you do your job at the best you can and for what you were hired... And if not, well, at least you got rid of the responsibility in that aspect.

Similar Messages

  • RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities

    For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode? 
    This is mostly a question, and partly "in use" observations.
    Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel"  mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode? 
    If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
    Summary of VPN modes I've gotten to work with an RV220W:
    Client
    Split Tunnel Works?
    Full Tunnel Works?
    OS?
    Notes
    SSL VPN
    Yes
    Yes
    Win7/64
    IE10 or IE11
    QuickVPN
    Yes
    No
    Win7/64
    IPSec VPN
    Yes
    No
    Win7/64
    Shrew Soft VPN Client

    I have to mark this as not a correct answer.
    Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
    To Michal Bruncko who posted this:
    1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
    2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way?

  • Issues with basic VPN setup and split tunneling

    I have created an SSL VPN to a CISCO ASA 8.6 running ASDM 6.6.
    Im able to connect to the VPN and reach all the devices with the LAN but  Im not able to browse the web. When I enable the split tunnel Im able  to browse the web but then Im not able to reach any internal device.
    Here is part of the show run:
    object network RedInterna
    subnet 150.211.101.0 255.255.255.0
    description Red Interna
    object network NETWORK_OBJ_10.4.1.0_28
    subnet 10.4.1.0 255.255.255.240
    access-list inside_access_in extended permit ip object RedInterna any
    access-list VPN_INTERNET standard permit 150.211.101.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool VPN_POOL 10.4.1.1-10.4.1.14 mask 255.255.255.240
    failover
    failover lan unit secondary
    failover lan interface fail-1 GigabitEthernet0/2
    failover key *****
    failover interface ip fail-1 10.3.1.21 255.255.255.252 standby 10.3.1.22
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-66114.bin
    asdm history enable
    arp timeout 14400
    nat (inside,outside) source static any any destination static  NETWORK_OBJ_10.4.1.0_28 NETWORK_OBJ_10.4.1.0_28 no-proxy-arp  route-lookup
    nat (inside,outside) after-auto source dynamic any interface
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 187.217.68.145 1
    route inside 10.0.0.0 255.0.0.0 10.1.1.78 1
    route inside 150.211.0.0 255.255.0.0 10.1.1.78 1
    webvpn
    enable outside
    anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
    anyconnect enable
    tunnel-group-list enable
    group-policy GroupPolicy_VPN_ internal
    group-policy GroupPolicy_VPN_ attributes
    wins-server none
    dns-server value 8.8.8.8
    vpn-tunnel-protocol ssl-client
    default-domain value dominio.com.mx
    tunnel-group VPN_ type remote-access
    tunnel-group VPN_ general-attributes
    address-pool VPN_POOL
    default-group-policy GroupPolicy_VPN_
    tunnel-group VPN_ webvpn-attributes
    group-alias VPN_ enable
    I´m not sure if Im missing some small details or setup. Any help will be highly appreciated.
    Thanks!!!

    Hi,
    When you are using Full Tunnel VPN (which is the default setting) you will have a couple of things that you need to configure on the ASA.
    First, the ASA by default won't allow traffic to enter through an interface and then leave through that same interface. This is what essentially happens when the traffic from the VPN Client comes to the ASA and then heads out to the Internet.  In your case the traffic comes through the "outside" and leaves through the "outside" interface.
    You will need this command
    same-security-traffic permit intra-interface
    You can check if its enabled at the moment with the command
    show run same-security-traffic
    Second, the VPN users will need to have NAT configuration just like any LAN users behind the actual ASA. So you will essentially have to configure Dynamic PAT for traffic from "outside" to "outside"
    You can accomplish that with the following configuration
    object network VPN-PAT
    subnet 10.4.1.0 255.255.255.240
    nat (outside,outside) dynamic interface
    I would imagine that this should do it for you to be able to connect to the Internet and to the LAN network when the VPN is active.
    Hope this helps
    Let me know how it goes.
    - Jouni

  • SSL VPN Full and Split Tunnel Config Question

    I am Beta testing SSLVPN on an IOS router. The question I have is this:
    Is it possiable to have slit and full tunnel configs. It seems that once you create your context and default profile that is all you have either split or full. The books say you can use Radius and assign different profiles but, I would like to give the users a choice (like in the VPN3000 .pcf) of either split or full depending on where they are working from.

    The below is an example using the ASA - but the principle remains the same:-
    http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080975e83.shtml
    HTH>

  • Cisco ASA 8.3(1) with VPN Client and IP Communicator - one way communication

    Hi Community.
    I have a strange problem with my setup and I'm pretty sure it's either some type of routing (or NAT) or just a missing rule allowing the traffic. But I'm now at a point where I'd like to request your help.
    I have some remote access users who have the Cisco IP Communicator (CIPC) installed on their notebooks. So:
    VPN user with CIPC <> ASA Firewall <> Voice Router <> CCM <> IP Phone
    The VPN works fine for any other traffic. Also the basic connection for the IP Communicator works fine. It get's connected to the CallManager, is shown as registered and you even can call an internal phone and also external phones. BUT: while you can hear the called party (so the internal phone) it doesn't work for the other way. There is no sound coming from the remote/caller.
    I already figured out that it's also not possible to ping from the VPN phone to the internal IP Phone subnet. While the VPN user can ping any other device in the internal network, he can't do it to the Cisco IP Phones. But if the VPN phone calls a none-internal phone (mobiles...) - it works!
    My thought is that the call can't be build up correctly between the VPN phone and the internal phone.
    I found similiar situations with google but they are all for the other way around: call to internal works, but not to VPN.
    What do you think?

    Hi,
    Typically ASA lists specific networks to the VPN Client when Split Tunnel is used.
    This would mean that there is a Split Tunnel ACL used in the ASA configurations for this VPN connection which needs to have the missing network added for the traffic to be tunneled to the VPN connection.
    - Jouni

  • How to configure full tunnel with VPN client and router?

    I know the concept of split tunnel....Is it possibe to configure vpn client and router full tunnel or instead of router ASA? I know filter options in concentrators is teher options in ISR routers or ASA?

    I think it is possible. Following links may help you
    http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

  • RA VPN on ASA and Split Tunneling

    Hello Forum,
    I'm having an issue with RA VPN and split tunneling. Our company doesn't allow split tunneling.
    I have the following....
    ASA 5520 - ASA Version - 8.0(3)
    Group Policies defined for different groups. My test group, I thought I disabled split tunneling but they are still able to surf the net.
    For Split Tunneling Policy...
    Inherit is unchecked
    I have "Tunnel Network List Below"
    Testing_splitTunnelAcl is my acl. I have a bunch of host IPs in the list. I don't have any or 0.0.0.0 in the list.
    But they can still surf the net.
    I would like to block access to net. No hairpinning or internet u-turns.
    How do I do this?
    Any help greatly appreciated.
    Regards,

    What does your Testing_spliTunnelAcl have?
    To disable split tunneling, your Testing_spliTunnelAcl should only have this...
    access-list Testing_splitTunnelAcl standard permit any
    ...which means all traffic will be encrypted and will be sent to ASA no matter what. If you add any IP Address, only those traffic destined to the IP Address in the list will be encrypted and send to ASA, everything else will go to internet from the client.
    It may be confusing but try and see what happens.

  • Mavericks VPN dropouts with native VPN client and Cisco IPSec

    Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
    I am connecting via a WIFI router to a remote VPN server
    The conenction is good for a while but eventually it drops out.
    I had Zero issues in mountain lion and only have issues since the update to 10.9
    I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
    My thoughts are:
    1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
    2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
    3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
    Any thousuggestions?

    Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
    I am connecting via a WIFI router to a remote VPN server
    The conenction is good for a while but eventually it drops out.
    I had Zero issues in mountain lion and only have issues since the update to 10.9
    I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
    My thoughts are:
    1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
    2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
    3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
    Any thousuggestions?

  • Cisco ASA 5505, Cisco VPN Client and Novell Netware

    Hi,
    Our ISP have installed Cisco ASA 5505 firewall. We are trying to connect to our Novell 5.1 server using VPN client.
    I installed VPN client on a laptop that is using wireless connection. I connect using wireless signal from near by hotel and I am able to connect to my firewall usinging vpn client and also able to login in using Novell client for XP.
    When I use same vpn client and Novell client at home that is not using wireless connection, but DSL connection amd not able to login or find the tree.
    The only difference in two machine is laptop using wireless connection and my home machine is using wired connection using DSL.

    If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.

  • Boot camp with Cisco VPN client and smart card

    Looking at a Macbook or Macbook Air and the only reason I need to run windows is to be able to access my work network through the Cisco VPN client and my Smartcard then use remote desktop. From my understanding if I run Bootcamp it should work am I correct? Im going to an Apple store tomorrow hopefully they can help too.
    Thanks

    mrbacklash wrote:
    Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
    I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
    Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
    Message was edited by: BobTheFisherman

  • Problem with Cisco VPN client and HP elitebook 2530p windows 7 64-bit

    Hi there
    I have a HP Elitebook 2530p which i upgraded to windows 7 64-bit. I installed the Cisco VPN client application (ver. 5.0.07.0290 and also 64-bit) and the HP connection manager to connect to the internet through a modem Qualcomm gobi 1000 (that is inside the laptop). When I connect to the VPN, it connects (I write the username and password) but there is no traffic inside de virtual adapter for my servers. When I connect to the internet through wire or wireless internet, I connect de VPN client and there is no problem to establish communication to my servers.
    I tried everything, also change the driver and an earlier version of the HP connection manager application. I also talked to HP and they told me that there was a report with this kind of problem and it was delivered to Cisco. I don’t know where is the problem.
    Could anyone help me?
    Thanks to all.

    You can try to update Deterministic Network Enhancer to the below listed release which supports
    WWAN Drivers.
    http://www.citrix.com/lang/English/lp/lp_1680845.asp.
    DNE now supports WWAN devices in Win7.  Before downloading the latest version of DNEUpdate from the links below,  be sure you have the latest
    drivers for your network adapters by downloading them from the vendors’ websites.
    For 64-bit: ftp://files.citrix.com/dneupdate64.msi
    Hope that helps.

  • IP Phone SSL VPN and Split tunneling

    Hi Team,
    I went throught the following document which is very useful:
    https://supportforums.cisco.com/docs/DOC-9124
    The only things i'm not sure about split-tunneling point:
    Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
    I could see many implementation when they used split-tunneling, like one of my customer:
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    banner value This system is only for Authorized users.
    dns-server value 10.64.10.13 10.64.10.14
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value prod.mobily.lan
    address-pools value SSLClientPool
    webvpn
      anyconnect keep-installer installed
      anyconnect ssl rekey time 30
      anyconnect ssl rekey method ssl
      anyconnect ask none default anyconnect
    username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
    username manager-max attributes
    vpn-group-policy GroupPolicy1
    tunnel-group PhoneVPN type remote-access
    tunnel-group PhoneVPN general-attributes
    address-pool SSLClientPool
    authentication-server-group AD
    default-group-policy GroupPolicy1
    tunnel-group PhoneVPN webvpn-attributes
    group-url https://84.23.107.10 enable
    ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
    access-list split-tunnel remark split-tunnel network list
    access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
    It is working for them w/o any issue.
    My question would be
    - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
    Thanks!
    Eva

    Hi,
    If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
    Did this answer your question? If so, please mark it Answered!

  • Configure a VPN client and Site to Site VPN tunnel

    Hi, I'm setting up a test network between 2 sites. SiteA has a 515E PIX and SiteB has a 501 PIX. Both sites have been setup with a site to site VPN tunnel, see SiteA config below. I also require that remote clients using Cisco VPN client 3.6 be able to connect into SiteA, be authenticated, get DHCP info and connect to hosts inside the network. However, when I add these config lines, see below, to SiteA PIX it stops the vpn tunnel to SiteB. However, the client can conect and do as needed so that part of my config is correct but I cannot see why the site to site vpn tunnel is then no longer.
    SiteA config with working VPN tunnel to SiteB:
    SITE A
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 webdmz security20
    enable password xxx
    passwd xxx
    hostname SiteA-pix
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    no fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 200.x.x.0 SiteA_INT
    name 201.x.x.201 SiteA_EXT
    name 200.x.x.254 PIX_INT
    name 10.10.10.0 SiteB_INT
    name 11.x.x.11 SiteB_EXT
    access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
    access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
    access-list acl_inside permit icmp any any
    access-list acl_inside permit ip any any
    access-list acl_outside permit ip any any
    access-list acl_outside permit icmp any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu webdmz 1500
    ip address outside SiteA_EXT 255.x.x.128
    ip address inside PIX_INT 255.255.0.0
    no ip address webdmz
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    route outside 0.0.0.x.x.0.0 201.201.201.202 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer SiteB_EXT
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    SiteA-pix(config)#
    Lines I add for Cisco VPN clients is attached
    I entered each line one by one and did a reload and sh crypto map all was OK until I entered the crypto map VPNPEER lines.
    Anyone any ideas what this can be?
    Thanks

    Heres my config:
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 webdmz security20
    enable password xxx
    passwd xxx
    hostname SiteA-pix
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    no fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 200.x.x.0 SiteA_INT
    name 201.x.x.201 SiteA_EXT
    name 200.x.x.254 PIX_INT
    name 10.10.10.0 SiteB_INT
    name 11.11.11.11 SiteB_EXT
    access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
    access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
    access-list acl_inside permit icmp any any
    access-list acl_inside permit ip any any
    access-list acl_outside permit ip any any
    access-list acl_outside permit icmp any any
    access-list 80 permit ip SiteA_INT 255.255.0.0 200.220.0.0 255.255.0.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu webdmz 1500
    ip address outside SiteA_EXT 255.255.255.128
    ip address inside PIX_INT 255.255.0.0
    no ip address webdmz
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pix_inside 200.x.x.100-200.220.200.150
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    route outside 0.0.0.0 0.0.0.x.x.201.202 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 200.200.200.20 letmein timeout 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set AAADES esp-3des esp-md5-hmac
    crypto dynamic-map DYNOMAP 10 match address 80
    crypto dynamic-map DYNOMAP 10 set transform-set AAADES
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer SiteB_EXT
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map 30 ipsec-isakmp dynamic DYNOMAP
    crypto map outside_map client authentication RADIUS
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption 3des
    isakmp policy 30 hash sha
    isakmp policy 30 group 2
    isakmp policy 30 lifetime 86400
    vpngroup Remote address-pool pix_inside
    vpngroup Remote dns-server 200.200.200.20
    vpngroup Remote wins-server 200.200.200.20
    vpngroup Remote default-domain mycorp.co.uk
    vpngroup Remote idle-time 1800
    vpngroup Remote password password
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    I will attach debug output later today.
    Thanks

  • AnyConnecy VPN and Split-tunnel ACL - Strange...

    Hi,
    I have ACL as follows and applied on AnyConnect VPN group as split-tunel value ACL.
    access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq www
    access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq https
    When I connected with AnyConnect client, I can ping to 192.168.200.63 and also telnet to port 80. However I can not telnet to port 443. Strange thing is I do not see any hits on above ACL, morever I'm wondering how cam the ICMP is working and why it does not stop on this ACL..?
    Phase: 4
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x78e03140, priority=11, domain=permit, deny=true
            hits=113713, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
            input_ifc=outside, output_ifc=any
    When I did the packet-tracer both ICMP and http it just drop on Phase 4..as bellow, I just want to know what this ACL and where its been applied to..?
    What is the correct syntax for packet-tracer command when troubleshooting AnyConnect VPN to check access inside/dmz server..?
    I have used as follows:
    packet-tracer input outside icmp 172.16.1.1 0 8 192.168.200.63 details
    Appreciate if someone can help me out on this..
    thanks

    To start with it is not ideal to configure a port based split tunnel. It is not support and will give you weird results like one you are experiencing. You should use standard access-list for the split tunnel and to restrict the users to the following port use vpn filter.
    As far as packet tracer is concerned for the VPN client if you use the outside interface as source it will never work the reason is the connection between the ASA and the client is of real IP address (Public) and the traffic that you are testing with is a VPN encrypted traffic your ASA's outside interface doesn't know what is 172.16.1.1, he will check it against the outside access-list and will drop it.
    So in your case i would strongly recommed that use standard access-list for the split tunnel and to restrict the user to specific port use vpn filter. Following are the links to configure the same:
    Allow Split Tunnel for Anyconnect:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
    Configure VPN filter (Its for site to site and remote access but it works the same for Anyconnect):
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
    Thanks
    Jeet Kumar

  • Cisco 3745, VPN and Split Tunneling

    I tried following the model here: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a008018914d.shtml
    but after doing so, the situation was actually reversed. While connected to the vpn client you were able to browse the internet but not able to access vpn resources. I undid and redid the configuration several times to rule out keying in problems.
    Can one help with this problem... If needed Ill post necessary configs from my router.. Thanks
    (btw: do these froms have a search?)

    I am having the same problems with pix 501. With split tunnel, I get web but no lan access. Without split tunnel, full lan access, no web. My acl for the splitTunnel is:
    permit ip host 192.168.1.0 any
    Is this wrong?

Maybe you are looking for

  • System Restore from Time Machine Back up and Mail

    Hi I have around 16,000 Messages in my Mail 3.2 Inbox. I use Gmail IMAP service. One thing I like about Mail is that next to all my messages there are these arrows that indicate whether I have replied to or forwarded a particular message and clicking

  • A Swf into a Fla.

    Basically I'm making a website and I have an animation that uses a V-Cam. I want to put this animation into my website. The probelm is if I just load it, you can "see" the v-cam but you're not looking through it. It's wierd to explain now that I actu

  • Adobe website issue

    I am trying to login to a website that requires adobe flash, I have flash 11 installed on my windows vista 32 bit system and my broswer is explorer 9. After I enter my login and password I get a pop up window that has an error message. I have no clue

  • Scrap in Subcontracting

    Hi all can some one tell me How is scrap accounted in subcontracting ? regards Bhushan.N

  • Time machine cause kernel panic

    I've updated to 10.6.4 yesterday, today when time machine running the kernel panic appear. what should i do... i'm very new to mac, i'm just upgraded from pc 3 days ago.