i did split tunnelling of internet...

ciscoasa# conf t
ciscoasa(config)# access-list split-tunnel permit 10.0.100.0 255.255.255.0
ciscoasa(config)# group-policy GroupPolicy_anyconnect-vpn attributes
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value split-tunnel
ciscoasa(config-group-policy)# end
ciscoasa#

it now works internet on the vpn client, my problem in my office test environment is that vpn client can't route to inside network but on my home test environment, it can.  i just have to figure out, maybe my asa in the office have problems.

regards and thank you...

Hello,

The split-tunneling should not be need it as by default we will tunnel all traffic...

If the internet works right now it's because it's using the local connection, is not using the internet through the VPN,

my test at home is working properly on routing of vpn to inside and also to the internet...

: Saved

: Written by enable_15 at 19:03:06.849 UTC Thu Apr 18 2013

!

ASA Version 8.6(1)2

!

hostname ciscoasa

domain-name test1.com

enable password NuLKvvWGg.x9HEKO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.0.50 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.64.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name test1.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network NETWORK_OBJ_192.168.64.64_27

subnet 192.168.64.64 255.255.255.224

access-list split-tunnel standard permit 10.0.64.0 255.255.255.0

no pager

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool inside-pool-vpn 192.168.64.70-192.168.64.90 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.64.64_27 NETWORK_OBJ_192.168.64.64_27 no-proxy-arp route-lookup

!

nat (inside,outside) after-auto source dynamic any interface

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

route inside 192.168.64.0 255.255.255.0 192.168.64.1 10

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAPSERVERS protocol ldap

aaa-server LDAPSERVERS (inside) host 192.168.64.100

ldap-base-dn dc=test1,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password Test123

ldap-login-dn cn=administrator,cn=Users,dc=test1,dc=com

server-type auto-detect

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa.test1.com

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 6cfc6e51

    3082025c 308201c5 a0030201 0202046c fc6e5130 0d06092a 864886f7 0d010105

    05003040 311b3019 06035504 03131263 6973636f 6173612e 74657374 312e636f

    6d312130 1f06092a 864886f7 0d010902 16126369 73636f61 73612e74 65737431

    2e636f6d 301e170d 31333034 31373139 34393134 5a170d32 33303431 35313934

    3931345a 3040311b 30190603 55040313 12636973 636f6173 612e7465 7374312e

    636f6d31 21301f06 092a8648 86f70d01 09021612 63697363 6f617361 2e746573

    74312e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902

    818100e1 1fc4496f 3f5a18f6 2809edf7 a83b4a72 f04f0a9b c38a49f4 010055c1

    5b433440 b942f442 1816b281 3e4489ee 8e96bc85 8549ae99 613a02af 5f3c963f

    dca6c79a 568eaf4c 25cd92f4 6700cfdb 794f9d8a 26a805bf 7136f75d 9346bc8c

    7d18e40e 954d626a 9cf4882d 573f9552 e70bb2f8 04933034 50d93bd4 1de2ed32

    71ea5302 03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06

    03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 80148a71 8795f669

    0435b43b 9290bfab a586025a a00a301d 0603551d 0e041604 148a7187 95f66904

    35b43b92 90bfaba5 86025aa0 0a300d06 092a8648 86f70d01 01050500 03818100

    b99d2516 9ce771c6 460af456 f035c972 804ba3d9 ae743112 02cab6cf 197f4a80

    974057bb 48de9476 653f192a b47a4df7 030e90a5 1aa14888 2f775350 8ba41267

    d05d6a12 cf8ffced 7a54f10f 688eae71 9cdc009f 78b8bf5d dfade190 d0881463

    68555ab4 8d31b5a7 f3274305 a8654e30 f3f933eb 95e342f3 8d6a4376 a8eb8c85

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.64.40-192.168.64.60 inside

dhcpd dns 192.168.0.1 192.168.64.100 interface inside

dhcpd lease 200000 interface inside

dhcpd domain test1.com interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect profiles anyconnect-vpn_client_profile disk0:/anyconnect-vpn_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_anyconnect-vpn internal

group-policy GroupPolicy_anyconnect-vpn attributes

wins-server none

dns-server value 192.168.0.1 192.168.64.100

vpn-tunnel-protocol ikev2 ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value test1.com

webvpn

  anyconnect profiles value anyconnect-vpn_client_profile type user

username rickyv password gw5iJZK0zpRVc1Ur encrypted

tunnel-group anyconnect-vpn type remote-access

tunnel-group anyconnect-vpn general-attributes

address-pool inside-pool-vpn

authentication-server-group LDAPSERVERS LOCAL

default-group-policy GroupPolicy_anyconnect-vpn

tunnel-group anyconnect-vpn webvpn-attributes

group-alias anyconnect-vpn enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:d93fe36a4b479e88bb6b4e2d7dc469f1

: end

although i have routing from vpn client to inside network but below tracer route is like that on the output...

ciscoasa# packet-tracer input outside icmp 192.168.64.70 8 0 6 192.168.64.100

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.64.0    255.255.255.0   inside

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.64.64_27 NETWORK_OBJ_192.168.64.64_27 no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.64.100/0 to 192.168.64.100/0

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa#

anyways, everything is working fine... maybe the wrong netmask on my office with 24.0.0.0 is making the routing wrong, as i said my ISP told me it's suppose to be 255.255.255.248.  i will test this sunday and i will let you know...

thanks and more power!!!

yup it's working now like my test environment at home, i changed it to /29 and also i put a new gw on my ISP, since my ISP told me I have wrong GW too. 

Hello Neetu,

Great to hear that