VPN Split Tunneling Unsuccessful

Similar Messages

• VPN split tunneling does not work with filtering enabled

  I restricted our Windows VPN clients  to reach only certain IPs and ports using filtering in their group policy. It works but I would like to add split tunneling for client's local Internet access. I temporary disabled filtering, unchecked the 'user default gateway on remote' box in properties of Windows VPN client, configured networks to be tunneled and it works. The moment I configure filters, my split tunneling does not tunnel the networks - they are not listed in Windows 'route print'. I change filtering to inherit or NONE and reconnect VPN and the tunneled networks show up again. I change filtering to a simple testing ACL/ACE and reconnect and they are gone again. Can I have split tunneling and filtering working simultaneously? Any help would be appreciated.

  I'm not aware of any method named tokenize and there isn't one listing in
  the alphabetic list of methods in the J2SE API. Perhaps you were thinking
  of java.util.StringTokenizer, whose API contains this note:
  StringTokenizer is a legacy class that is retained for compatibility reasons
  although its use is discouraged in new code. It is recommended that anyone
  seeking this functionality use the split method of String or the java.util.regex
  package instead.

• VPN Split Tunneling

  Anyone familiar with setting up Split tunneling.
  I have an Actiontec router and I'm trying to setup my work computer so it can access local network ressources and remain connected to the VPN connection to work at the same time.
  My companies VPN does allow this and I have information on some settings that would need to be set but I'm not sure where and how to set them exactly.

  The VPN client is set to allow split tunneling but requires me to make some changes outside of that client for it to work. I'm looking for someone who has experience with those settings. It's either in the router or in my internet settings but I can't seem to make either work with the information I have.

• VPN Split-Tunneling not working

  Hello,
  First off - thanks to all who post here.  I often browse the forums and search for help on here and its very useful, so a great pat on the back for everyone who contributes.  My first time posting so here goes.....
  I have my ASA 5505 v8.2 configured to allow AnyConnect. This is working.  Client can connect and access the remote systems through VPN.  What is causing me a massive headache is that the client loses internet connectivity.  I have played around with my config somewhat so what I am about to post I know for certain is incorrect but any help is greatly appreciated.
  Notes
  1.  The Router was set up for a standard site-to-site VPN which is no longer functional but as you can see all the settings are still in the router.
  2.  The router also has a DMZ setup to allow some clients access to the internet through it using the DMZ
  CONFIGURATION:
  ASA Version 8.2(5)
  hostname MYHOST
  enable password mUUvr2NINofYuSh2 encrypted
  passwd UNDrnIuGV0tAPtz2 encrypted
  names
  name x.x.x.x AIME-SD
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.101.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.0.0
  interface Vlan7
  no forward interface Vlan1
  nameif DMZ
  security-level 20
  ip address 137.57.183.1 255.255.255.0
  ftp mode passive
  clock timezone MST -7
  object-group network obj_any_dmz
  access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255                                                                                        .255.0
  access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.25                                                                                        5.0
  access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
  access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu DMZ 1500
  ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 10 interface
  nat (inside) 0 access-list no_nat
  nat (inside) 1 access-list nonat
  nat (DMZ) 10 137.57.183.0 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable 64000
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set batus esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map batus 100 match address 10
  crypto map batus 100 set peer AIME-SD
  crypto map batus 100 set transform-set batus
  crypto map batus interface outside
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment self
  subject-name CN=MYHOST
  keypair ClientX_cert
  crl configure
  crypto ca certificate chain ASDM_TrustPoint1
  certificate 0f817951
      308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105
      05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30
      1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d
      31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117
      30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648
      86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648
      86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430
      1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3
      4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9
      db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c
      783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886
      f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8
      b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821
      fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9
      7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3
      63ebd49d 30dd06f4 e0fa25
    quit
  crypto isakmp enable outside
  crypto isakmp policy 40
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 DMZ
  ssh timeout 10
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
  ssl trust-point ASDM_TrustPoint1 outside
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  svc enable
  group-policy ClientX_access internal
  group-policy ClientX_access attributes
  vpn-tunnel-protocol svc
  split-tunnel-network-list value split-tunneling
  default-domain value access.local
  address-pools value Internal_Range
  ipv6-address-pools none
  webvpn
    svc mtu 1406
    svc rekey time none
    svc rekey method ssl
  username ClientX password ykAxQ227nzontdIh encrypted privilege 15
  username ClientX attributes
  vpn-group-policy ClientX_access
  service-type admin
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group x.x.x.x ipsec-attributes
  pre-shared-key *****
  tunnel-group ClientX type remote-access
  tunnel-group ClientX general-attributes
  address-pool Internal_Range
  default-group-policy ClientX_access
  tunnel-group SSLClientProfile type remote-access
  tunnel-group SSLClientProfile general-attributes
  default-group-policy ClientX_access
  tunnel-group ClientX_access type remote-access
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:e7d92a387d1c5f07e14b3c894d159ec1
  : end
  Thank you for any help!!

  Karsten!
  That fixed my internet access problem.  Yippee!
  Unfortunately it seems to have broken my access to the internal network.  Boo!
  I can no longer access/ping anything on the internal IP range (192.168.101.x). 
  I assume this is a nat issue somewhere along the line.  Posting the top half of my config for any assistance and the info requested by Raj (although VPN is connecting fine).  Thank you both for your very prompt replies!!!
  Short Config
  object-group network obj_any_dmz
  access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255.255.0
  access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.255.0
  access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
  access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu DMZ 1500
  ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 10 interface
  nat (inside) 0 access-list no_nat
  nat (inside) 1 access-list nonat
  nat (DMZ) 10 137.57.183.0 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 207.229.2.129 1
  route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  Show vpn-sessiondb svc
  Session Type: SVC
  Username     : ClientX                 Index        : 9
  Assigned IP  : 192.168.101.125        Public IP    : x.x.x.x
  Protocol     : Clientless SSL-Tunnel DTLS-Tunnel
  License      : SSL VPN
  Encryption   : RC4 AES128             Hashing      : MD5 SHA1
  Bytes Tx     : 11662                  Bytes Rx     : 62930
  Group Policy : ClientX_access          Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 22:40:56 MST Mon Jul 1 2013
  Duration     : 0h:11m:08s
  Inactivity   : 0h:00m:00s
  NAC Result   : Unknown
  VLAN Mapping : N/A                    VLAN         : none

• Cisco 871 to Cisco ASA 5545 Site-to-Site VPN Split Tunnel not working.

  Tunnel comes up and can see and access protected traffic but cannot access web (Split Tunnel). Don't know if access problem or route issue.
  Listed below is configuration for Cisco 871, any help very much appreciated.
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2  
  crypto isakmp key test address x.x.x.x
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
  crypto map SDM_CMAP_1 1 ipsec-isakmp 
   description Tunnel to x.x.x.x
   set peer x.x.x.x
   set transform-set ESP-3DES-SHA 
   match address 100
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
   ip address 4.34.195.193 255.255.255.192
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip route-cache flow
   duplex auto
   speed auto
   crypto map SDM_CMAP_1
  interface Vlan1
   description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
   ip address 172.200.1.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip route-cache flow
   ip tcp adjust-mss 1452
  ip route 0.0.0.0 0.0.0.0 4.34.195.193 permanent
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  logging trap debugging
  access-list 100 remark SDM_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 172.200.1.0 0.0.0.255 172.16.2.0 0.0.0.255

  I don't see any NAT configuration above. Check you can PING out to the internet (8.8.8.8 for example) from the router itself as it won't need NAT to PING from the outside interface.
  Have a look at this document on setting up NAT for your inside devices:
  http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

• IP Phone SSL VPN and Split tunneling

  Hi Team,
  I went throught the following document which is very useful:
  https://supportforums.cisco.com/docs/DOC-9124
  The only things i'm not sure about split-tunneling point:
  Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  I could see many implementation when they used split-tunneling, like one of my customer:
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  banner value This system is only for Authorized users.
  dns-server value 10.64.10.13 10.64.10.14
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value prod.mobily.lan
  address-pools value SSLClientPool
  webvpn
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask none default anyconnect
  username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
  username manager-max attributes
  vpn-group-policy GroupPolicy1
  tunnel-group PhoneVPN type remote-access
  tunnel-group PhoneVPN general-attributes
  address-pool SSLClientPool
  authentication-server-group AD
  default-group-policy GroupPolicy1
  tunnel-group PhoneVPN webvpn-attributes
  group-url https://84.23.107.10 enable
  ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
  access-list split-tunnel remark split-tunnel network list
  access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
  It is working for them w/o any issue.
  My question would be
  - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
  Thanks!
  Eva

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN

  I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
  The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP.  We have a DNS server set up in AWS for any DNS queries for the remote domain name.
  My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
  I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query.  Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
  Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?

  Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface.  Try to be more restrictive than an '...ip any any' rule for outside_in connections.  For instance, this is what I have for incoming VOIP (access list and nat rules):
  access list rule:
  access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
  nat rule:
  nat (inside,outside) source static server interface service voip-range voip-range
  - 'server' is a network object *
  - 'voip-range' is a service group range
  I'd assume you can do something similar here in combination with my earlier comment:
  access-list incoming extended permit tcp any any eq 5900
  Can you explain your forwarding methodology a little more?  I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to.  Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

• SonicWall Global VPN Client and Split tunneling

  Hello All,
  I searched Google and the forums here and can't find someone with the same problem.
  Lets start at the beginning-Just started this job a couple months ago and people brought to my attention immediately an issue while they were on the VPN they could not get to the internet.  I know about the different security risks but we have multiple field reps that need internet access while using our CRM program.  So I setup Split Tunneling on the Sonicwall. Tested and works fine on my home PC using a WRT54GS Ver 2.1 and the SonicWall Global VPN Client.
  So I was sure everything was fine until I just sent out 2 laptops to 2 different sales reps and they are both having the same issue.  They can get into the internal network but can't access the internet.  They are both on WRT54G (different Vers.).  I tested the VPN client on both laptops with tethering on my cell phone and the split tunneling works. I have tried updating firmware thinking that was the issue.  I also tried to put their home network on a different subnet.  All with no joy.  I was wondering if anyone ever ran into something like this or have any clues what to try next. 
  -Thank You in advance for your time.
  Message Edited by Chris_F on 01-11-2010 07:41 AM
  Chris F.
  CCENT, CCNA, CCNA Sec

  Of course, you do as you are told. But I hope you keep written record of what you have been told and have it signed of whoever told you to set it up. It's essential that you stay on the safe side in these matters.
  I have read of too many cases where the system/security admin did not do so and in the end was held responsible for security incidents simply because he was told to do something to jeopardize security of the network. Remember, that usually the person who tells you do to so has no idea about the full security implication of a decision.
  Thus, I highly recommend to require your road staff to connect with no split tunneling. Refuse to do otherwise unless you have it in writing and you won't be held reliable in any way if something happens because of it.
  Just think what happens if the whole customer database gets stolen because of one of the remote sales reps... There is a reason why you apply this web site blocking on your firewalls and there is absolutely no reason that would justify why your remote sale reps don't go through the very same firewall while accessing company-sensitive data in your CRM.
  So put that straight with whoever told you to do otherwise and if you they still want to continue anyway get it in writing. Once you ask for the statement in writing many decision-makers come to their senses and let you do your job at the best you can and for what you were hired... And if not, well, at least you got rid of the responsibility in that aspect.

• RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities

  For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode? 
  This is mostly a question, and partly "in use" observations.
  Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel"  mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode? 
  If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
  Summary of VPN modes I've gotten to work with an RV220W:
  Client
  Split Tunnel Works?
  Full Tunnel Works?
  OS?
  Notes
  SSL VPN
  Yes
  Yes
  Win7/64
  IE10 or IE11
  QuickVPN
  Yes
  No
  Win7/64
  IPSec VPN
  Yes
  No
  Win7/64
  Shrew Soft VPN Client

  I have to mark this as not a correct answer.
  Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
  To Michal Bruncko who posted this:
  1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
  2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way?

• Split Tunnel VPN and routing public ip traffic

  Hi Everyone,
      I have my split tunnel vpn working well but I need to make an adjustment. We have a few systems in the "cloud" and we only allow access from our corporate WAN IP to those servers. I need to be able to access those servers via VPN connection to the office. I added that public IP subnet to my interesting traffic and the vpn client is sending the traffic across the VPN as expected. The issue is that it somehow drops out inside the firewall it seems. Almost like it doesn't know how to route that request back out to the internet using it's own default gateway. Any thoughts as to what I may be missing, here is some of the relevant code
  same-security-traffic permit intra-interface
  ----Interesting Traffic------
  access-list vpnpool standard permit 10.1.1.0 255.255.255.0
  access-list vpnpool standard permit 10.31.26.0 255.255.255.0
  access-list vpnpool standard permit 10.31.61.0 255.255.255.0
  access-list vpnpool standard permit 10.31.3.128 255.255.255.192
  access-list vpnpool standard permit 10.31.40.128 255.255.255.240
  access-list vpnpool standard permit 10.31.40.64 255.255.255.192
  access-list vpnpool standard permit 50.57.0.0 255.255.0.0  -- Network of cloud servers
  ---Natting----------
  global (outside) 1 71.174.57.78
  global (dmz) 1 interface
  nat (inside) 0 access-list 101
  nat (inside) 1 10.1.1.0 255.255.255.0
  nat (qa) 1 200.200.200.0 255.255.255.0
  nat (dmz) 1 10.1.11.0 255.255.255.0
  nat (dmz2) 1 192.168.1.0 255.255.255.0
  ---Rules and Gateway-------
  access-group inbound in interface outside
  access-group dmz in interface dmz
  route outside 0.0.0.0 0.0.0.0 71.174.57.1 1
  ---VPN-----
  group-policy xxx-remote internal
  group-policy xxx-remote attributes
  wins-server value 10.1.1.5
  dns-server value 10.1.1.5 10.1.1.6
  vpn-idle-timeout 60
  vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
  ipsec-udp enable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpnpool
  default-domain value xxx.local
  split-dns value xxxx.local
  service-type remote-access
  tunnel-group xxx-vpn type remote-access
  tunnel-group xxx-vpn general-attributes
  address-pool vpnpool
  authentication-server-group (outside) RADIUS
  authentication-server-group (dmz) RADIUS
  default-group-policy xxx-remote
  tunnel-group xxx-vpn ipsec-attributes
  pre-shared-key xxxxx

  That was my mistake, I am mixing up code here. The fun of switching between new and old ASA code as well as routers
  Let's do it this way, this should fix the problem. Put the NAT command the way it was as follows:
  nat (Outside) 1 10.1.10.0 255.255.255.0
  Now we add a NAT0 for the Outside interface. You can reuse the ACL we made if you want or make a new one, your call since you have to administrate it.
  no access-list VPN-NAT
  access-list VPN-NAT0 permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.0.0.0
  nat (Outside) 0 access-list VPN-NAT0
  Now, this should properly NAT the traffic going to the Internet while excluding the traffic destined for your 10.0.0.0/8 subnet using the Nat 0.
  Sorry for the round about fix, but that should take care of it.

• Is RV110W capable of "selective" VPN routing? Split tunneling?

  Hello,
  I'm trying to find an anwer to for a question whether the RV110W is capable of distinguish between traffic that should go to VPN tunnel and traffic that should not go thru the VPN tunnel - I think this is called split tunneling.
  I've been requested to create a VPN Tunnel between an office that's using the RV110W and one corporate network where a VPN server is running. That is quite easy as I know that RV110W has VPN client mode, however there a requirement not to route all traffic through the VPN tunnel. Only traffic that directs to the corporate network (certain ragne of IP addresses) should be routed thru the VPN tunnel and the rest that directs elsewhere should not go to VPN tunnel.
  Is this achievable with this device?
  If not, could you recommend me a device that is capable to satisfy this requirement?
  Thank you for your anwers.

  Ladislav,
  When you create a site to site VPN tunnel, all devices on each side that are on the same VLAN in which the tunnel is created should have access to each other. It will be like they are on the same network but they will have different IP subnets. So the answer is yes, devices on the "server" side should be able to access devices on the RV110W side.
  - Marty

• VM with remote access VPN without split tunneling

  Hello experts,
  I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network  to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
  My Question to Experts:
  1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
  2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
  Thanks for your help,
  Razi                

  Did you figure this out?

• Nokia mobile VPN Client - split tunneling

  Hi
  I'm trying to get Nokia mobile CPN Client working with split tunneling on a Cisco firewall.
  I have full access to all on my internal lan's when I make the VPN tunnel, so tunnel is up and working.
  But I do not have access to anything in the internet, it tries to route internet requests through the VPN. I have set split tunneling on the Cisco firewall and it is working as intended on all other devices.
  Any ideas of what I have missed?
  My policy is based on the bundled Cisco_ASA_pskxauth.pol from the Nokia mobile VPN Client Policy Tool.
  tsfts

  Hi vgta2k:
  Nokia 5530 XpressMusic is S60 5th edition phone.
  http://www.forum.nokia.com/Devices/Device_specific​ations/5530_XpressMusic/
  It runs different version of Nokia Mobile VPN client than Symbian^3. You can find the correct version at the download page:
  http://europe.nokia.com/support/download-software/​nokia-mobile-vpn/compatibility-and-download
  Just use the device selector and pick your phone.
  You can also find Nokia Mobile VPN Client nowadays at Ovi Store.
  Thanks,
  Ismo

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan

• AnyConnecy VPN and Split-tunnel ACL - Strange...

  Hi,
  I have ACL as follows and applied on AnyConnect VPN group as split-tunel value ACL.
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq www
  access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq https
  When I connected with AnyConnect client, I can ping to 192.168.200.63 and also telnet to port 80. However I can not telnet to port 443. Strange thing is I do not see any hits on above ACL, morever I'm wondering how cam the ICMP is working and why it does not stop on this ACL..?
  Phase: 4
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x78e03140, priority=11, domain=permit, deny=true
          hits=113713, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
          input_ifc=outside, output_ifc=any
  When I did the packet-tracer both ICMP and http it just drop on Phase 4..as bellow, I just want to know what this ACL and where its been applied to..?
  What is the correct syntax for packet-tracer command when troubleshooting AnyConnect VPN to check access inside/dmz server..?
  I have used as follows:
  packet-tracer input outside icmp 172.16.1.1 0 8 192.168.200.63 details
  Appreciate if someone can help me out on this..
  thanks

  To start with it is not ideal to configure a port based split tunnel. It is not support and will give you weird results like one you are experiencing. You should use standard access-list for the split tunnel and to restrict the users to the following port use vpn filter.
  As far as packet tracer is concerned for the VPN client if you use the outside interface as source it will never work the reason is the connection between the ASA and the client is of real IP address (Public) and the traffic that you are testing with is a VPN encrypted traffic your ASA's outside interface doesn't know what is 172.16.1.1, he will check it against the outside access-list and will drop it.
  So in your case i would strongly recommed that use standard access-list for the split tunnel and to restrict the user to specific port use vpn filter. Following are the links to configure the same:
  Allow Split Tunnel for Anyconnect:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
  Configure VPN filter (Its for site to site and remote access but it works the same for Anyconnect):
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
  Thanks
  Jeet Kumar