Split Tunnel VPN and routing public ip traffic

Similar Messages

• Connect to server using VPN and router, then 3rd party software hangs

  I connect to my employer server using *Apani Contivity VPN* software to get email, accessing the internet with FireFox and any of the following devices *NetGear RP614v3, Linksys BEFSR41* routers, as well as a *Belkin F5D5131-5* switch. I can connect to the internet and log onto the company server. Then I spuraticly, but persistently, have *software hangs when I try to open the software or execute a save when using: Text Edit, MS Entourage, Quark, Adobe Photoshop and Bridge*. I use one of 2 Macs in a company of PCs and the other Mac user does not have these problems. Help.

  Hi, and a warm welcome to the forums!
  Done these two lately?
  Using Disk Utility in Mac OS X 10.4.3 or later to verify or repair disks...
  http://docs.info.apple.com/article.html?artnum=302672
  About Disk Utility's Repair Disk Permissions feature...
  http://docs.info.apple.com/article.html?artnum=25751
  Reboot needed if many Permissions are fixed, and possibly reapply latest Combo Update also.

• Help With split tunneling and multiple subnets behind asa

  Hello All,
  our vpn clients can no longer access internet while connected to vpn.
  I was hoping I could get an answer on here for an issue we are having. let me explain this with as little words as possible.
  here was old network layout:
  ASA
  192.168.1.1   ---->  the rest of the internal subnet (was only subnet in network)
  now
  ASA                              3560
  192.168.254.1/24 ----->192.168.254.2/24-->192.168.1.1/24
                                                                 192.168.2.1/24
  so what we did was route from 3560 to asa  so we would be able to have multiple subnets since our asa has base license.
  Our vpn with easy connect worked with our split tunneling before and now we made the change above and it no longer works. Can someone help me out as to why it no longer works and what changed need to be made to make it work.
  Thank you.
  ciscoasa# sh run
  : Saved
  ASA Version 8.2(2)
  hostname ciscoasa
  enable password 1N7bTm05RXLnBcUc encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.254.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  ftp mode passive
  clock timezone est -5
  same-security-traffic permit intra-interface
  access-list NoNat extended permit ip any 172.16.5.0 255.255.255.0
  access-list SplitTunnel standard permit 192.168.1.0 255.255.255.0
  access-list SplitTunnel standard permit 192.168.2.0 255.255.255.0
  access-list SplitTunnel standard permit 192.168.254.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNPool 172.16.5.1-172.16.5.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NoNat
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  route inside 192.168.1.0 255.255.255.0 192.168.254.2 1
  route inside 192.168.2.0 255.255.255.0 192.168.254.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TransformSet1 esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map DynamicMap1 1 set transform-set TransformSet1
  crypto map MainMap 999 ipsec-isakmp dynamic DynamicMap1
  crypto map MainMap interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 64.90.182.55 source outside
  webvpn
  enable outside
  svc image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1
  svc enable
  tunnel-group-list enable
  group-policy RenotreUsers internal
  group-policy RemoteUsers internal
  group-policy RemoteUsers attributes
  vpn-tunnel-protocol svc webvpn
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SplitTunnel
  tunnel-group RemoteUsers type remote-access
  tunnel-group RemoteUsers general-attributes
  address-pool VPNPool
  default-group-policy RemoteUsers
  tunnel-group RemoteUsers webvpn-attributes
  group-alias Southeast-Security-VPN enable
  tunnel-group RemoteUsers ipsec-attributes
  pre-shared-key *****

  I think it could be your NAT statement. You should try an avoid using any unless you tunnel everything. Try making this change
  no access-list NoNat extended permit ip any 172.16.5.0 255.255.255.0
  object-group network INTERNAL_NETWORKS
  description Internal Networks
  network-object 192.168.1.0 255.255.255.0
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.254.0 255.255.255.0
  access-list NoNat extended permit ip object-group INTERNAL_NETWORKS 172.16.5.0 255.255.255.0
  You may have to re-add your NAT0
  nat (inside) 0 access-list NoNat

• Unable to access inside network using Split tunnel RA VPN

  Hi Everyone,
  I configured RA Split tunnel VPN.
  Connection works fine.
  Inside Interface of ASA has connection to Switch IP 10.1.12.1.
  When connected via RA VPN i try https://10.1.12.1 but it does not open up.
  Inside Interface of ASA has IP 10.0.0.1
  ASA1#                                                                         $
  Session Type: IKEv1 IPsec Detailed
  Username     : ipsec-user             Index        : 23
  Assigned IP  : 10.0.0.51              Public IP    : 192.168.98.2
  Protocol     : IKEv1 IPsec
  License      : Other VPN
  Encryption   : IKEv1: (1)AES256  IPsec: (1)AES128
  Hashing      : IKEv1: (1)SHA1  IPsec: (1)SHA1
  Bytes Tx     : 2130969                Bytes Rx     : 259008
  Pkts Tx      : 6562                   Pkts Rx      : 3682
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0
  Group Policy : ipsec-group            Tunnel Group : ipsec-group
  Login Time   : 11:10:41 MST Sun Jan 26 2014
  Duration     : 0h:40m:30s
  Inactivity   : 0h:00m:00s
  NAC Result   : Unknown
  VLAN Mapping : N/A                    VLAN         : none
  IKEv1 Tunnels: 1
  IPsec Tunnels: 1
  IKEv1:
    Tunnel ID    : 23.1
    UDP Src Port : 62751                  UDP Dst Port : 500
    IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys
    Encryption   : AES256                 Hashing      : SHA1
    Rekey Int (T): 86400 Seconds          Rekey Left(T): 83975 Seconds
    D/H Group    : 2
    Filter Name  :
    Client OS    : WinNT                  Client OS Ver: 5.0.07.0440
  IPsec:
    Tunnel ID    : 23.2
    Local Addr   : 0.0.0.0/0.0.0.0/0/0
    Remote Addr  : 10.0.0.51/255.255.255.255/0/0
    Encryption   : AES128                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 26375 Seconds
    Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
    Bytes Tx     : 2137160                Bytes Rx     : 259088
    Pkts Tx      : 6571                   Pkts Rx      : 3684
  NAC:
    Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
    SQ Int (T)   : 0 Seconds              EoU Age(T)   : 2426 Seconds
    Hold Left (T): 0 Seconds              Posture Token:
    Redirect URL :
  From ASA i can ping the switch IP
  ASA1#  ping 10.1.12.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
  ASA1#
  logs from firewall
  Jan 26 2014 11:53:20: %ASA-6-302014: Teardown TCP connection 51636 for outside:10.0.0.51/50747(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:00:00 bytes 1075 TCP Reset-O (ipsec-user)
  Jan 26 2014 11:53:20: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/50747 to 10.0.0.1/443 flags FIN ACK  on interface outside
  Why firewall logs show https connection to 10.0.0.1 instead of  10.1.12.1?
  Regards
  Mahesh

  Hi Jouni,
  ASA1# sh ip address
  System IP Addresses:
  Interface                Name                   IP address      Subnet mask     Method
  Vlan1                    inside                 10.0.0.1        255.255.255.0   CONFIG
  Vlan2                    outside                192.168.1.171   255.255.255.0   CONFIG
  Vlan3                    sales                  10.12.12.1      255.255.255.0   CONFIG
  Current IP Addresses:
  Interface                Name                   IP address      Subnet mask     Method
  Vlan1                    inside                 10.0.0.1        255.255.255.0   CONFIG
  Vlan2                    outside                192.168.1.171   255.255.255.0   CONFIG
  Vlan3                    sales                  10.12.12.1      255.255.255.0   CONFIG
  Connection is split tunnel.
  when i check stats on vpn client all i see bypassed packets.
  ASA1#                                                       sh run group-polic$
  group-policy ipsec-group internal
  group-policy ipsec-group attributes
  dns-server value 64.59.144.19
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  ipv6-split-tunnel-policy excludespecified
  split-tunnel-network-list value ipsec-group_splitTunnelAcl
  Regards
  Mahesh
  Message was edited by: mahesh parmar

• Unable to see logs while using split tunnel for RA

  hi everyone,
  I have config RA   VPN at my home lab using split tunnel.
  I can connect fine and able to browse the internet.
  When i go to internet sites i do not see logs generated on the VPN ASA?
  Need to understand whats the reason behind this?
  ASA1# sh conn all
  5 in use, 12 most used
  UDP outside  10.0.0.51:138 inside  10.0.0.255:138, idle 0:01:38, bytes 201, flags -
  TCP outside  192.168.98.2:49509 NP Identity Ifc  192.168.1.171:443, idle 0:00:07, bytes 1067370, flags UOB
  TCP outside  192.168.98.2:49507 NP Identity Ifc  192.168.1.171:443, idle 0:00:03, bytes 137779, flags UOB
  UDP outside  192.168.98.2:49903 NP Identity Ifc  192.168.1.171:500, idle 0:00:01, bytes 40927, flags -
  TCP outside  192.168.99.2:35902 NP Identity Ifc  192.168.1.171:22, idle 0:00:00, bytes 179887, flags UOB
  Where 192.168.98.2 is IP of PC.
  10.0.0.51 is IP assigned from VPN pool to PC.
  Regards
  Mahesh

  Hi Mahesh,
  You are using Split Tunnel VPN. This means that you have configured the VPN Client connection to only tunnel specific networks through the VPN Connection while its active. You have probably configured an ACL that contains your LAN network behind the ASA.
  This means that only traffic destined to that LAN network mentioned in the ACL reaches your ASA through the VPN Connection.
  The Internet traffic of the user or any traffic that is NOT destined to that network in the ACL will simply use the VPN Client users PCs local Internet connection or local network.
  This is the reason you are not seeing any of the Internet connections from the VPN Client on the ASA. The VPN Client connection is only configured to forward traffic to the LAN network and pass all other traffic past the VPN Connection through the users local network connection.
  If you were to configure Full Tunnel VPN for the user this would mean that ALL traffic would be forwarded from the VPN Client through the ASA and the ASA would control where that traffic would be forwarded and if that traffic would be allowed.
  If you want to look at the current configuration on the CLI you would first have to issue
  show run tunnel-group
  And find the connection that you are using at the moment. Then you would have to check what "group-policy" is configured under that "tunnel-group"
  Then you could issue the command
  show run group-policy
  This would list you the Group Policy configuration for the VPN connection and would show something like this under it
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value
  The above configuration would show you the ACL that the VPN Client configuration is using to tell the VPN Client what traffic to send through the VPN Connection.
  Hope this helps
  - Jouni

• Is RV110W capable of "selective" VPN routing? Split tunneling?

  Hello,
  I'm trying to find an anwer to for a question whether the RV110W is capable of distinguish between traffic that should go to VPN tunnel and traffic that should not go thru the VPN tunnel - I think this is called split tunneling.
  I've been requested to create a VPN Tunnel between an office that's using the RV110W and one corporate network where a VPN server is running. That is quite easy as I know that RV110W has VPN client mode, however there a requirement not to route all traffic through the VPN tunnel. Only traffic that directs to the corporate network (certain ragne of IP addresses) should be routed thru the VPN tunnel and the rest that directs elsewhere should not go to VPN tunnel.
  Is this achievable with this device?
  If not, could you recommend me a device that is capable to satisfy this requirement?
  Thank you for your anwers.

  Ladislav,
  When you create a site to site VPN tunnel, all devices on each side that are on the same VLAN in which the tunnel is created should have access to each other. It will be like they are on the same network but they will have different IP subnets. So the answer is yes, devices on the "server" side should be able to access devices on the RV110W side.
  - Marty

• AnyConnecy VPN and Split-tunnel ACL - Strange...

  Hi,
  I have ACL as follows and applied on AnyConnect VPN group as split-tunel value ACL.
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq www
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq https
  When I connected with AnyConnect client, I can ping to 192.168.200.63 and also telnet to port 80. However I can not telnet to port 443. Strange thing is I do not see any hits on above ACL, morever I'm wondering how cam the ICMP is working and why it does not stop on this ACL..?
  Phase: 4
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x78e03140, priority=11, domain=permit, deny=true
          hits=113713, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
          input_ifc=outside, output_ifc=any
  When I did the packet-tracer both ICMP and http it just drop on Phase 4..as bellow, I just want to know what this ACL and where its been applied to..?
  What is the correct syntax for packet-tracer command when troubleshooting AnyConnect VPN to check access inside/dmz server..?
  I have used as follows:
  packet-tracer input outside icmp 172.16.1.1 0 8 192.168.200.63 details
  Appreciate if someone can help me out on this..
  thanks

  To start with it is not ideal to configure a port based split tunnel. It is not support and will give you weird results like one you are experiencing. You should use standard access-list for the split tunnel and to restrict the users to the following port use vpn filter.
  As far as packet tracer is concerned for the VPN client if you use the outside interface as source it will never work the reason is the connection between the ASA and the client is of real IP address (Public) and the traffic that you are testing with is a VPN encrypted traffic your ASA's outside interface doesn't know what is 172.16.1.1, he will check it against the outside access-list and will drop it.
  So in your case i would strongly recommed that use standard access-list for the split tunnel and to restrict the user to specific port use vpn filter. Following are the links to configure the same:
  Allow Split Tunnel for Anyconnect:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
  Configure VPN filter (Its for site to site and remote access but it works the same for Anyconnect):
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
  Thanks
  Jeet Kumar

• Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access

  Greetings,
  I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
  Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
  OR 
  Am I forced to put the ASA behind the filtering device somehow?

  Hi Jim,
  You can use tunnel default route for vpn traffic:
  ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
  configure mode commands/options:
    <1-255>   Distance metric for this route, default is 1
    track     Install route depending on tracked item
    tunneled  Enable the default tunnel gateway option, metric is set to 255
  This route is applicable for only vpn traffic.
  HTH,
  Shetty

• Issues with basic VPN setup and split tunneling

  I have created an SSL VPN to a CISCO ASA 8.6 running ASDM 6.6.
  Im able to connect to the VPN and reach all the devices with the LAN but  Im not able to browse the web. When I enable the split tunnel Im able  to browse the web but then Im not able to reach any internal device.
  Here is part of the show run:
  object network RedInterna
  subnet 150.211.101.0 255.255.255.0
  description Red Interna
  object network NETWORK_OBJ_10.4.1.0_28
  subnet 10.4.1.0 255.255.255.240
  access-list inside_access_in extended permit ip object RedInterna any
  access-list VPN_INTERNET standard permit 150.211.101.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool VPN_POOL 10.4.1.1-10.4.1.14 mask 255.255.255.240
  failover
  failover lan unit secondary
  failover lan interface fail-1 GigabitEthernet0/2
  failover key *****
  failover interface ip fail-1 10.3.1.21 255.255.255.252 standby 10.3.1.22
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-66114.bin
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static any any destination static  NETWORK_OBJ_10.4.1.0_28 NETWORK_OBJ_10.4.1.0_28 no-proxy-arp  route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 187.217.68.145 1
  route inside 10.0.0.0 255.0.0.0 10.1.1.78 1
  route inside 150.211.0.0 255.255.0.0 10.1.1.78 1
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_VPN_ internal
  group-policy GroupPolicy_VPN_ attributes
  wins-server none
  dns-server value 8.8.8.8
  vpn-tunnel-protocol ssl-client
  default-domain value dominio.com.mx
  tunnel-group VPN_ type remote-access
  tunnel-group VPN_ general-attributes
  address-pool VPN_POOL
  default-group-policy GroupPolicy_VPN_
  tunnel-group VPN_ webvpn-attributes
  group-alias VPN_ enable
  I´m not sure if Im missing some small details or setup. Any help will be highly appreciated.
  Thanks!!!

  Hi,
  When you are using Full Tunnel VPN (which is the default setting) you will have a couple of things that you need to configure on the ASA.
  First, the ASA by default won't allow traffic to enter through an interface and then leave through that same interface. This is what essentially happens when the traffic from the VPN Client comes to the ASA and then heads out to the Internet.  In your case the traffic comes through the "outside" and leaves through the "outside" interface.
  You will need this command
  same-security-traffic permit intra-interface
  You can check if its enabled at the moment with the command
  show run same-security-traffic
  Second, the VPN users will need to have NAT configuration just like any LAN users behind the actual ASA. So you will essentially have to configure Dynamic PAT for traffic from "outside" to "outside"
  You can accomplish that with the following configuration
  object network VPN-PAT
  subnet 10.4.1.0 255.255.255.240
  nat (outside,outside) dynamic interface
  I would imagine that this should do it for you to be able to connect to the Internet and to the LAN network when the VPN is active.
  Hope this helps
  Let me know how it goes.
  - Jouni

• How to configure full tunnel with VPN client and router?

  I know the concept of split tunnel....Is it possibe to configure vpn client and router full tunnel or instead of router ASA? I know filter options in concentrators is teher options in ISR routers or ASA?

  I think it is possible. Following links may help you
  http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

• RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities

  For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode? 
  This is mostly a question, and partly "in use" observations.
  Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel"  mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode? 
  If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
  Summary of VPN modes I've gotten to work with an RV220W:
  Client
  Split Tunnel Works?
  Full Tunnel Works?
  OS?
  Notes
  SSL VPN
  Yes
  Yes
  Win7/64
  IE10 or IE11
  QuickVPN
  Yes
  No
  Win7/64
  IPSec VPN
  Yes
  No
  Win7/64
  Shrew Soft VPN Client

  I have to mark this as not a correct answer.
  Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
  To Michal Bruncko who posted this:
  1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
  2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way?

• RA VPN on ASA and Split Tunneling

  Hello Forum,
  I'm having an issue with RA VPN and split tunneling. Our company doesn't allow split tunneling.
  I have the following....
  ASA 5520 - ASA Version - 8.0(3)
  Group Policies defined for different groups. My test group, I thought I disabled split tunneling but they are still able to surf the net.
  For Split Tunneling Policy...
  Inherit is unchecked
  I have "Tunnel Network List Below"
  Testing_splitTunnelAcl is my acl. I have a bunch of host IPs in the list. I don't have any or 0.0.0.0 in the list.
  But they can still surf the net.
  I would like to block access to net. No hairpinning or internet u-turns.
  How do I do this?
  Any help greatly appreciated.
  Regards,

  What does your Testing_spliTunnelAcl have?
  To disable split tunneling, your Testing_spliTunnelAcl should only have this...
  access-list Testing_splitTunnelAcl standard permit any
  ...which means all traffic will be encrypted and will be sent to ASA no matter what. If you add any IP Address, only those traffic destined to the IP Address in the list will be encrypted and send to ASA, everything else will go to internet from the client.
  It may be confusing but try and see what happens.

• Cisco 3745, VPN and Split Tunneling

  I tried following the model here: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a008018914d.shtml
  but after doing so, the situation was actually reversed. While connected to the vpn client you were able to browse the internet but not able to access vpn resources. I undid and redid the configuration several times to rule out keying in problems.
  Can one help with this problem... If needed Ill post necessary configs from my router.. Thanks
  (btw: do these froms have a search?)

  I am having the same problems with pix 501. With split tunnel, I get web but no lan access. Without split tunnel, full lan access, no web. My acl for the splitTunnel is:
  permit ip host 192.168.1.0 any
  Is this wrong?

• IP Phone SSL VPN and Split tunneling

  Hi Team,
  I went throught the following document which is very useful:
  https://supportforums.cisco.com/docs/DOC-9124
  The only things i'm not sure about split-tunneling point:
  Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  I could see many implementation when they used split-tunneling, like one of my customer:
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  banner value This system is only for Authorized users.
  dns-server value 10.64.10.13 10.64.10.14
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value prod.mobily.lan
  address-pools value SSLClientPool
  webvpn
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask none default anyconnect
  username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
  username manager-max attributes
  vpn-group-policy GroupPolicy1
  tunnel-group PhoneVPN type remote-access
  tunnel-group PhoneVPN general-attributes
  address-pool SSLClientPool
  authentication-server-group AD
  default-group-policy GroupPolicy1
  tunnel-group PhoneVPN webvpn-attributes
  group-url https://84.23.107.10 enable
  ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
  access-list split-tunnel remark split-tunnel network list
  access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
  It is working for them w/o any issue.
  My question would be
  - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
  Thanks!
  Eva

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• SonicWall Global VPN Client and Split tunneling

  Hello All,
  I searched Google and the forums here and can't find someone with the same problem.
  Lets start at the beginning-Just started this job a couple months ago and people brought to my attention immediately an issue while they were on the VPN they could not get to the internet.  I know about the different security risks but we have multiple field reps that need internet access while using our CRM program.  So I setup Split Tunneling on the Sonicwall. Tested and works fine on my home PC using a WRT54GS Ver 2.1 and the SonicWall Global VPN Client.
  So I was sure everything was fine until I just sent out 2 laptops to 2 different sales reps and they are both having the same issue.  They can get into the internal network but can't access the internet.  They are both on WRT54G (different Vers.).  I tested the VPN client on both laptops with tethering on my cell phone and the split tunneling works. I have tried updating firmware thinking that was the issue.  I also tried to put their home network on a different subnet.  All with no joy.  I was wondering if anyone ever ran into something like this or have any clues what to try next. 
  -Thank You in advance for your time.
  Message Edited by Chris_F on 01-11-2010 07:41 AM
  Chris F.
  CCENT, CCNA, CCNA Sec

  Of course, you do as you are told. But I hope you keep written record of what you have been told and have it signed of whoever told you to set it up. It's essential that you stay on the safe side in these matters.
  I have read of too many cases where the system/security admin did not do so and in the end was held responsible for security incidents simply because he was told to do something to jeopardize security of the network. Remember, that usually the person who tells you do to so has no idea about the full security implication of a decision.
  Thus, I highly recommend to require your road staff to connect with no split tunneling. Refuse to do otherwise unless you have it in writing and you won't be held reliable in any way if something happens because of it.
  Just think what happens if the whole customer database gets stolen because of one of the remote sales reps... There is a reason why you apply this web site blocking on your firewalls and there is absolutely no reason that would justify why your remote sale reps don't go through the very same firewall while accessing company-sensitive data in your CRM.
  So put that straight with whoever told you to do otherwise and if you they still want to continue anyway get it in writing. Once you ask for the statement in writing many decision-makers come to their senses and let you do your job at the best you can and for what you were hired... And if not, well, at least you got rid of the responsibility in that aspect.