VPN Split Tunneling Unsuccessful
I am working on creating a split tunnel to work with a test vpn group profile. We have an external proxy service that slows users down when they are VPN'd in because their web traffic then goes through us. My goal is to configure only private IP's to come through the tunnel, any requests to public IP's should go straight out the users internet connection and not VPN.
I have created an ACL on the firewall that includes all of the standard private 192, 172, and 10 scope ips and I set the vpn group profile to only tunnel based on those IP addresses.
However when I perform this testing with the Cisco AnyConnect SSL VPN client and I look at the routing tab, it still shows 0.0.0.0 0.0.0.0 to go through the VPN tunnel and isn't splitting the traffic. I have not tested this on the orginal Cisco VPN client yet.
The configuration guides that I have looked seems to show I am setting it up correctly but am I missing anything?
Thanks
Sure, here is my test group configuration:
object-group network DM_INLINE_NETWORK_1
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
group-policy TESTVPN internal
group-policy TESTVPN attributes
wins-server value 172.16.9.221 172.16.9.222
dns-server value 172.16.9.221 172.16.9.222
vpn-idle-timeout 600
vpn-session-timeout 600
vpn-tunnel-protocol IPSec svc webvpn
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TESTVPN
secure-unit-authentication disable
user-authentication disable
nem enable
tunnel-group TESTVPN type remote-access
tunnel-group TESTVPN general-attributes
address-pool VPN_Pool
authentication-server-group VPN_Users
default-group-policy TESTVPN
dhcp-server 10.0.0.1
tunnel-group TESTVPN webvpn-attributes
group-alias TestVPN enable
tunnel-group TESTVPN ipsec-attributes
pre-shared-key *
Similar Messages
-
VPN split tunneling does not work with filtering enabled
I restricted our Windows VPN clients to reach only certain IPs and ports using filtering in their group policy. It works but I would like to add split tunneling for client's local Internet access. I temporary disabled filtering, unchecked the 'user default gateway on remote' box in properties of Windows VPN client, configured networks to be tunneled and it works. The moment I configure filters, my split tunneling does not tunnel the networks - they are not listed in Windows 'route print'. I change filtering to inherit or NONE and reconnect VPN and the tunneled networks show up again. I change filtering to a simple testing ACL/ACE and reconnect and they are gone again. Can I have split tunneling and filtering working simultaneously? Any help would be appreciated.
I'm not aware of any method named tokenize and there isn't one listing in
the alphabetic list of methods in the J2SE API. Perhaps you were thinking
of java.util.StringTokenizer, whose API contains this note:
StringTokenizer is a legacy class that is retained for compatibility reasons
although its use is discouraged in new code. It is recommended that anyone
seeking this functionality use the split method of String or the java.util.regex
package instead. -
Anyone familiar with setting up Split tunneling.
I have an Actiontec router and I'm trying to setup my work computer so it can access local network ressources and remain connected to the VPN connection to work at the same time.
My companies VPN does allow this and I have information on some settings that would need to be set but I'm not sure where and how to set them exactly.The VPN client is set to allow split tunneling but requires me to make some changes outside of that client for it to work. I'm looking for someone who has experience with those settings. It's either in the router or in my internet settings but I can't seem to make either work with the information I have.
-
VPN Split-Tunneling not working
Hello,
First off - thanks to all who post here. I often browse the forums and search for help on here and its very useful, so a great pat on the back for everyone who contributes. My first time posting so here goes.....
I have my ASA 5505 v8.2 configured to allow AnyConnect. This is working. Client can connect and access the remote systems through VPN. What is causing me a massive headache is that the client loses internet connectivity. I have played around with my config somewhat so what I am about to post I know for certain is incorrect but any help is greatly appreciated.
Notes
1. The Router was set up for a standard site-to-site VPN which is no longer functional but as you can see all the settings are still in the router.
2. The router also has a DMZ setup to allow some clients access to the internet through it using the DMZ
CONFIGURATION:
ASA Version 8.2(5)
hostname MYHOST
enable password mUUvr2NINofYuSh2 encrypted
passwd UNDrnIuGV0tAPtz2 encrypted
names
name x.x.x.x AIME-SD
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.0.0
interface Vlan7
no forward interface Vlan1
nameif DMZ
security-level 20
ip address 137.57.183.1 255.255.255.0
ftp mode passive
clock timezone MST -7
object-group network obj_any_dmz
access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255 .255.0
access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.25 5.0
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list nonat
nat (DMZ) 10 137.57.183.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 64000
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set batus esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map batus 100 match address 10
crypto map batus 100 set peer AIME-SD
crypto map batus 100 set transform-set batus
crypto map batus interface outside
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=MYHOST
keypair ClientX_cert
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 0f817951
308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105
05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30
1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d
31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117
30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648
86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430
1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3
4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9
db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c
783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886
f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8
b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821
fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9
7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3
63ebd49d 30dd06f4 e0fa25
quit
crypto isakmp enable outside
crypto isakmp policy 40
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 DMZ
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy ClientX_access internal
group-policy ClientX_access attributes
vpn-tunnel-protocol svc
split-tunnel-network-list value split-tunneling
default-domain value access.local
address-pools value Internal_Range
ipv6-address-pools none
webvpn
svc mtu 1406
svc rekey time none
svc rekey method ssl
username ClientX password ykAxQ227nzontdIh encrypted privilege 15
username ClientX attributes
vpn-group-policy ClientX_access
service-type admin
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group ClientX type remote-access
tunnel-group ClientX general-attributes
address-pool Internal_Range
default-group-policy ClientX_access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy ClientX_access
tunnel-group ClientX_access type remote-access
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e7d92a387d1c5f07e14b3c894d159ec1
: end
Thank you for any help!!Karsten!
That fixed my internet access problem. Yippee!
Unfortunately it seems to have broken my access to the internal network. Boo!
I can no longer access/ping anything on the internal IP range (192.168.101.x).
I assume this is a nat issue somewhere along the line. Posting the top half of my config for any assistance and the info requested by Raj (although VPN is connecting fine). Thank you both for your very prompt replies!!!
Short Config
object-group network obj_any_dmz
access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.255.0
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list nonat
nat (DMZ) 10 137.57.183.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 207.229.2.129 1
route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
Show vpn-sessiondb svc
Session Type: SVC
Username : ClientX Index : 9
Assigned IP : 192.168.101.125 Public IP : x.x.x.x
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
License : SSL VPN
Encryption : RC4 AES128 Hashing : MD5 SHA1
Bytes Tx : 11662 Bytes Rx : 62930
Group Policy : ClientX_access Tunnel Group : DefaultWEBVPNGroup
Login Time : 22:40:56 MST Mon Jul 1 2013
Duration : 0h:11m:08s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none -
Cisco 871 to Cisco ASA 5545 Site-to-Site VPN Split Tunnel not working.
Tunnel comes up and can see and access protected traffic but cannot access web (Split Tunnel). Don't know if access problem or route issue.
Listed below is configuration for Cisco 871, any help very much appreciated.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key test address x.x.x.x
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set transform-set ESP-3DES-SHA
match address 100
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address 4.34.195.193 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 172.200.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1452
ip route 0.0.0.0 0.0.0.0 4.34.195.193 permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
logging trap debugging
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.200.1.0 0.0.0.255 172.16.2.0 0.0.0.255I don't see any NAT configuration above. Check you can PING out to the internet (8.8.8.8 for example) from the router itself as it won't need NAT to PING from the outside interface.
Have a look at this document on setting up NAT for your inside devices:
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html -
IP Phone SSL VPN and Split tunneling
Hi Team,
I went throught the following document which is very useful:
https://supportforums.cisco.com/docs/DOC-9124
The only things i'm not sure about split-tunneling point:
Group-policy must not be configured with split tunnel or split exclude. Only tunnel all is the supported tunneling policy
I could see many implementation when they used split-tunneling, like one of my customer:
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
banner value This system is only for Authorized users.
dns-server value 10.64.10.13 10.64.10.14
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value prod.mobily.lan
address-pools value SSLClientPool
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
username manager-max attributes
vpn-group-policy GroupPolicy1
tunnel-group PhoneVPN type remote-access
tunnel-group PhoneVPN general-attributes
address-pool SSLClientPool
authentication-server-group AD
default-group-policy GroupPolicy1
tunnel-group PhoneVPN webvpn-attributes
group-url https://84.23.107.10 enable
ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
access-list split-tunnel remark split-tunnel network list
access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
It is working for them w/o any issue.
My question would be
- is the limitation about split-tunneling still valid? If yes, why it is not recommended?
Thanks!
EvaHi,
If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
Did this answer your question? If so, please mark it Answered! -
CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN
I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP. We have a DNS server set up in AWS for any DNS queries for the remote domain name.
My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query. Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):
access list rule:
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
nat rule:
nat (inside,outside) source static server interface service voip-range voip-range
- 'server' is a network object *
- 'voip-range' is a service group range
I'd assume you can do something similar here in combination with my earlier comment:
access-list incoming extended permit tcp any any eq 5900
Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ? -
SonicWall Global VPN Client and Split tunneling
Hello All,
I searched Google and the forums here and can't find someone with the same problem.
Lets start at the beginning-Just started this job a couple months ago and people brought to my attention immediately an issue while they were on the VPN they could not get to the internet. I know about the different security risks but we have multiple field reps that need internet access while using our CRM program. So I setup Split Tunneling on the Sonicwall. Tested and works fine on my home PC using a WRT54GS Ver 2.1 and the SonicWall Global VPN Client.
So I was sure everything was fine until I just sent out 2 laptops to 2 different sales reps and they are both having the same issue. They can get into the internal network but can't access the internet. They are both on WRT54G (different Vers.). I tested the VPN client on both laptops with tethering on my cell phone and the split tunneling works. I have tried updating firmware thinking that was the issue. I also tried to put their home network on a different subnet. All with no joy. I was wondering if anyone ever ran into something like this or have any clues what to try next.
-Thank You in advance for your time.
Message Edited by Chris_F on 01-11-2010 07:41 AM
Chris F.
CCENT, CCNA, CCNA SecOf course, you do as you are told. But I hope you keep written record of what you have been told and have it signed of whoever told you to set it up. It's essential that you stay on the safe side in these matters.
I have read of too many cases where the system/security admin did not do so and in the end was held responsible for security incidents simply because he was told to do something to jeopardize security of the network. Remember, that usually the person who tells you do to so has no idea about the full security implication of a decision.
Thus, I highly recommend to require your road staff to connect with no split tunneling. Refuse to do otherwise unless you have it in writing and you won't be held reliable in any way if something happens because of it.
Just think what happens if the whole customer database gets stolen because of one of the remote sales reps... There is a reason why you apply this web site blocking on your firewalls and there is absolutely no reason that would justify why your remote sale reps don't go through the very same firewall while accessing company-sensitive data in your CRM.
So put that straight with whoever told you to do otherwise and if you they still want to continue anyway get it in writing. Once you ask for the statement in writing many decision-makers come to their senses and let you do your job at the best you can and for what you were hired... And if not, well, at least you got rid of the responsibility in that aspect. -
RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities
For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode?
This is mostly a question, and partly "in use" observations.
Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel" mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode?
If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
Summary of VPN modes I've gotten to work with an RV220W:
Client
Split Tunnel Works?
Full Tunnel Works?
OS?
Notes
SSL VPN
Yes
Yes
Win7/64
IE10 or IE11
QuickVPN
Yes
No
Win7/64
IPSec VPN
Yes
No
Win7/64
Shrew Soft VPN ClientI have to mark this as not a correct answer.
Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
To Michal Bruncko who posted this:
1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way? -
Split Tunnel VPN and routing public ip traffic
Hi Everyone,
I have my split tunnel vpn working well but I need to make an adjustment. We have a few systems in the "cloud" and we only allow access from our corporate WAN IP to those servers. I need to be able to access those servers via VPN connection to the office. I added that public IP subnet to my interesting traffic and the vpn client is sending the traffic across the VPN as expected. The issue is that it somehow drops out inside the firewall it seems. Almost like it doesn't know how to route that request back out to the internet using it's own default gateway. Any thoughts as to what I may be missing, here is some of the relevant code
same-security-traffic permit intra-interface
----Interesting Traffic------
access-list vpnpool standard permit 10.1.1.0 255.255.255.0
access-list vpnpool standard permit 10.31.26.0 255.255.255.0
access-list vpnpool standard permit 10.31.61.0 255.255.255.0
access-list vpnpool standard permit 10.31.3.128 255.255.255.192
access-list vpnpool standard permit 10.31.40.128 255.255.255.240
access-list vpnpool standard permit 10.31.40.64 255.255.255.192
access-list vpnpool standard permit 50.57.0.0 255.255.0.0 -- Network of cloud servers
---Natting----------
global (outside) 1 71.174.57.78
global (dmz) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 10.1.1.0 255.255.255.0
nat (qa) 1 200.200.200.0 255.255.255.0
nat (dmz) 1 10.1.11.0 255.255.255.0
nat (dmz2) 1 192.168.1.0 255.255.255.0
---Rules and Gateway-------
access-group inbound in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 71.174.57.1 1
---VPN-----
group-policy xxx-remote internal
group-policy xxx-remote attributes
wins-server value 10.1.1.5
dns-server value 10.1.1.5 10.1.1.6
vpn-idle-timeout 60
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnpool
default-domain value xxx.local
split-dns value xxxx.local
service-type remote-access
tunnel-group xxx-vpn type remote-access
tunnel-group xxx-vpn general-attributes
address-pool vpnpool
authentication-server-group (outside) RADIUS
authentication-server-group (dmz) RADIUS
default-group-policy xxx-remote
tunnel-group xxx-vpn ipsec-attributes
pre-shared-key xxxxxThat was my mistake, I am mixing up code here. The fun of switching between new and old ASA code as well as routers
Let's do it this way, this should fix the problem. Put the NAT command the way it was as follows:
nat (Outside) 1 10.1.10.0 255.255.255.0
Now we add a NAT0 for the Outside interface. You can reuse the ACL we made if you want or make a new one, your call since you have to administrate it.
no access-list VPN-NAT
access-list VPN-NAT0 permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.0.0.0
nat (Outside) 0 access-list VPN-NAT0
Now, this should properly NAT the traffic going to the Internet while excluding the traffic destined for your 10.0.0.0/8 subnet using the Nat 0.
Sorry for the round about fix, but that should take care of it. -
Is RV110W capable of "selective" VPN routing? Split tunneling?
Hello,
I'm trying to find an anwer to for a question whether the RV110W is capable of distinguish between traffic that should go to VPN tunnel and traffic that should not go thru the VPN tunnel - I think this is called split tunneling.
I've been requested to create a VPN Tunnel between an office that's using the RV110W and one corporate network where a VPN server is running. That is quite easy as I know that RV110W has VPN client mode, however there a requirement not to route all traffic through the VPN tunnel. Only traffic that directs to the corporate network (certain ragne of IP addresses) should be routed thru the VPN tunnel and the rest that directs elsewhere should not go to VPN tunnel.
Is this achievable with this device?
If not, could you recommend me a device that is capable to satisfy this requirement?
Thank you for your anwers.Ladislav,
When you create a site to site VPN tunnel, all devices on each side that are on the same VLAN in which the tunnel is created should have access to each other. It will be like they are on the same network but they will have different IP subnets. So the answer is yes, devices on the "server" side should be able to access devices on the RV110W side.
- Marty -
VM with remote access VPN without split tunneling
Hello experts,
I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
My Question to Experts:
1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
Thanks for your help,
RaziDid you figure this out?
-
Nokia mobile VPN Client - split tunneling
Hi
I'm trying to get Nokia mobile CPN Client working with split tunneling on a Cisco firewall.
I have full access to all on my internal lan's when I make the VPN tunnel, so tunnel is up and working.
But I do not have access to anything in the internet, it tries to route internet requests through the VPN. I have set split tunneling on the Cisco firewall and it is working as intended on all other devices.
Any ideas of what I have missed?
My policy is based on the bundled Cisco_ASA_pskxauth.pol from the Nokia mobile VPN Client Policy Tool.
tsftsHi vgta2k:
Nokia 5530 XpressMusic is S60 5th edition phone.
http://www.forum.nokia.com/Devices/Device_specifications/5530_XpressMusic/
It runs different version of Nokia Mobile VPN client than Symbian^3. You can find the correct version at the download page:
http://europe.nokia.com/support/download-software/nokia-mobile-vpn/compatibility-and-download
Just use the device selector and pick your phone.
You can also find Nokia Mobile VPN Client nowadays at Ovi Store.
Thanks,
Ismo -
Remote Access VPN, no split tunneling, internet access. NAT translation problem
Hi everyone, I'm new to the forum. I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices. The configuration has been working without issues for the last couple years.
I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
I reviewed the new NAT rules for the VPN and found the culprit.
I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
Here are the NAT rules I have in place: (The "inactive" rule is the culprit. As soon as I enable this rule, the port forwarding hits a wall)
nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source dynamic VPN_Subnet interface inactive
object network obj_any
nat (inside,outside) dynamic interface
object network XXX_HTTP
nat (inside,outside) static interface service tcp www www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Any help would be appreciated.Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
With Regards,
Safwan -
AnyConnecy VPN and Split-tunnel ACL - Strange...
Hi,
I have ACL as follows and applied on AnyConnect VPN group as split-tunel value ACL.
access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq www
access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq https
When I connected with AnyConnect client, I can ping to 192.168.200.63 and also telnet to port 80. However I can not telnet to port 443. Strange thing is I do not see any hits on above ACL, morever I'm wondering how cam the ICMP is working and why it does not stop on this ACL..?
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x78e03140, priority=11, domain=permit, deny=true
hits=113713, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
When I did the packet-tracer both ICMP and http it just drop on Phase 4..as bellow, I just want to know what this ACL and where its been applied to..?
What is the correct syntax for packet-tracer command when troubleshooting AnyConnect VPN to check access inside/dmz server..?
I have used as follows:
packet-tracer input outside icmp 172.16.1.1 0 8 192.168.200.63 details
Appreciate if someone can help me out on this..
thanksTo start with it is not ideal to configure a port based split tunnel. It is not support and will give you weird results like one you are experiencing. You should use standard access-list for the split tunnel and to restrict the users to the following port use vpn filter.
As far as packet tracer is concerned for the VPN client if you use the outside interface as source it will never work the reason is the connection between the ASA and the client is of real IP address (Public) and the traffic that you are testing with is a VPN encrypted traffic your ASA's outside interface doesn't know what is 172.16.1.1, he will check it against the outside access-list and will drop it.
So in your case i would strongly recommed that use standard access-list for the split tunnel and to restrict the user to specific port use vpn filter. Following are the links to configure the same:
Allow Split Tunnel for Anyconnect:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
Configure VPN filter (Its for site to site and remote access but it works the same for Anyconnect):
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
Thanks
Jeet Kumar
Maybe you are looking for
-
Processing Static (via automatic row processing) & Dynmaic fields
Hi, I have a page that has 2 sections. Section S is statically driven which I'd like to process via a Automatic Row Process DML. Section D is for dynamic fields which I process via a PL/SQL script. I need to process Section D (dynamic) first. Now the
-
Hi gurus, I'm currently working on eBs R12. As per subect, I cannot run report builder (Report Builder: Release 10.1.2.0.2). From a terminal window, I am used to run rwbld60 & command (after setting environment variable and export DISPLAY) but in thi
-
ITunes stops working when I use ibooks or itunesu. I have just upgraded to itunes 11.1.1. I use windows 7 64 bit.
-
Change BarCode from Trip number to Pernr and Trip Number
Hi Gurus, My client wants the Expense report bar code to be changed from Trip number to Personnel number and Trip number. The technical team has been able to merge the two entries, but the report displays only 10 characters. They are unable to extend
-
Right click on datagrid question
Hi guys I'm trying to get the columnIndex on a right click on a datagrid, so that I can use it when I select an item from my custom contextMenu. Currently... data_grid.addEventListener(ListEvent.ITEM_ROLL_OVER, dataGridRollOver); private function dat