Thanks!!!! I'll try this as sone as I get home!

Thank you so much!!! I can now reach my inside network from my VPN clients, I did get the internet part to work as well, I set upp split tunnelning and got it running.

Again thank you!

Hi Johan,

I'm glad to hear that!!

So what global IP addresses are you attempting to ping?

Regards,

Anu.

P.S.: Please mark the question answered, if it has been resolved. Do rate  helpful posts. Thanks.

Sorry, you might have read the post before I edited it, I got it running with split tunneling, and was able to ping 4.2.2.2 for example, as well as dns querys!

Once more, THANKS!

I was a bit to quick in my assumption with the Split tunnel part :/

Once I enabled split tunnel I can't reach the inside network through my VPN clients no more , do you have any ideas what the problem might be?

Is it beacuse the split is trying to NAT and the nonat rule makes it into a conflict?

Hi Johan,

You can enable split tunneling in 3 ways:

1. if you want all traffic to travel over the VPN tunnel.(uses keyword "tunnel-all")

2. If you want traffic only from some networks to travel over the tunnel(uses keyword "tunnelspecified")

3. If you want traffic from some networks to not travel over the tunnel.(uses keyword"exclude-specified")

In the configuration below, it tunnels only what is given in the ACL. Rest of the traffic does not go through the VPN tunnel.

Try the following:

access-list spl_tun standard permit 172.16.30 0 255.255.255.0

group-policy VPNHOME attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value spl_tun

Let me know if this works.

Regards,

Anu.

Still don't work, I can now surf but not reach my inside network :/ sending you my present conf.

my inside addresses are:

172.16.30.1 255.255.255.0 (dhcp to 32)

my vpn adresses are:

172.16.30.32 255.255.255.248

KardesASA# show running-config
: Saved
:
ASA Version 8.0(3)
!
hostname KardesASA
domain-name default.domain.invalid
enable password XXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.30.1 255.255.255.0
!
interface Vlan10
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
!
interface Ethernet0/2
!            
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXXX encrypted

ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list nonat extended permit ip 172.16.30.0 255.255.255.0 172.16.30.32 255.255.255.248
access-list MSS_EXCEEDED_ACL extended permit tcp any any
access-list VPN-SPLIT-TUNNEL remark VPN SPLIT TUNNEL
access-list VPN-SPLIT-TUNNEL standard permit 172.16.30.32 255.255.255.248
!
tcp-map MSS-MAP
  exceed-mss allow
!
pager lines 24
logging enable
logging console notifications
logging asdm notifications
mtu inside 1500
mtu outside 1500
ip local pool VPN 172.16.30.33-172.16.30.38 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.30.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.16.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 172.16.30.0 255.255.255.0 inside
telnet timeout 5
ssh 172.16.30.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 172.16.30.10-172.16.30.32 inside
dhcpd dns 1.1.1.2 1.1.1.3 interface inside
dhcpd lease 432000 interface inside
dhcpd domain kardellskillby interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
group-policy VPNHOME internal
group-policy VPNHOME attributes
dns-server value 1.1.1.2 1.1.1.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLIT-TUNNEL
default-domain value kardellskillbyvpn
split-dns value 1.1.1.2 1.1.1.3
msie-proxy method no-proxy
username admin password XXXXXX encrypted privilege 15
username Karde password XXXXXX encrypted privilege 0
username Karde attributes
vpn-group-policy VPNHOME
username Malin password XXXXXXXX encrypted privilege 0
username Malin attributes
vpn-group-policy VPNHOME
tunnel-group VPNHOME type remote-access
tunnel-group VPNHOME general-attributes
address-pool VPN
default-group-policy VPNHOME
tunnel-group VPNHOME ipsec-attributes
pre-shared-key *
!
class-map MSS_EXCEEDED_MAP
match access-list MSS_EXCEEDED_ACL
class-map inspection_default
match default-inspection-traffic
!
!            
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect tftp
  inspect icmp error
  inspect pptp
  inspect ipsec-pass-thru
  inspect icmp
class MSS_EXCEEDED_MAP
  set connection advanced-options MSS-MAP
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:c668d6903f535591682c72937624ed45
: end

Hi Johan,

I'm sorry for getting back to you so late. We are trying to tunnel traffic going to the internal network, which is 172.16.30.0. In your config, "access-list VPN-SPLIT-TUNNEL standard permit 172.16.30.32 255.255.255.248 " is incorrect. What we have to do, is tunnel traffic destined to the resources inside your network, say to some server. So, the Split tunnel ACL should be:

access-list VPN-SPLIT-TUNNEL standard permit 172.16.30.0 255.255.255.0

Let me know if this works.

Thanks,

Anu.

THANKS!!!!!

IT DID THE TRICK

So, I'm specifing that all my traffic, even the internet, should go through the tunnel?

One thing this dig though was disabling my traceroutes from the inside clients, :/, shouldn't this be covered by the policy-map?

policy-map global_policy

class inspection_default
  inspect ftp
  inspect tftp
  inspect icmp error
  inspect pptp
  inspect ipsec-pass-thru
  inspect icmp

do you have any quick guidence on why, if not I'll search the net, you have helped me more than enough!!!!

Can't thank you enough!!!!!!

Hi Johan,

I'm glad i could help!

With that ACL you are specifying traffic destined to the 172.16.30.0 network to be tunnelled. 172.16.30.32 is the source which requests for resources from inside the network. All the other traffic(say, to the Internet) will not be tunnelled.

If you want traceroutes to be allowed through the ASA, you need to specify an ACL and apply it to the outside interface. Here is a document to help you with this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#trace

Regards,

Anu.

Thanks once more !

No problem. Have a great day!

Regards,

Anu.