01-18-2014 08:34 AM - edited 03-11-2019 08:32 PM
hi everyone,
I have config RA VPN at my home lab using split tunnel.
I can connect fine and able to browse the internet.
When i go to internet sites i do not see logs generated on the VPN ASA?
Need to understand whats the reason behind this?
ASA1# sh conn all
5 in use, 12 most used
UDP outside 10.0.0.51:138 inside 10.0.0.255:138, idle 0:01:38, bytes 201, flags -
TCP outside 192.168.98.2:49509 NP Identity Ifc 192.168.1.171:443, idle 0:00:07, bytes 1067370, flags UOB
TCP outside 192.168.98.2:49507 NP Identity Ifc 192.168.1.171:443, idle 0:00:03, bytes 137779, flags UOB
UDP outside 192.168.98.2:49903 NP Identity Ifc 192.168.1.171:500, idle 0:00:01, bytes 40927, flags -
TCP outside 192.168.99.2:35902 NP Identity Ifc 192.168.1.171:22, idle 0:00:00, bytes 179887, flags UOB
Where 192.168.98.2 is IP of PC.
10.0.0.51 is IP assigned from VPN pool to PC.
Regards
Mahesh
Solved! Go to Solution.
01-18-2014 08:58 AM
Hi Mahesh,
You are using Split Tunnel VPN. This means that you have configured the VPN Client connection to only tunnel specific networks through the VPN Connection while its active. You have probably configured an ACL that contains your LAN network behind the ASA.
This means that only traffic destined to that LAN network mentioned in the ACL reaches your ASA through the VPN Connection.
The Internet traffic of the user or any traffic that is NOT destined to that network in the ACL will simply use the VPN Client users PCs local Internet connection or local network.
This is the reason you are not seeing any of the Internet connections from the VPN Client on the ASA. The VPN Client connection is only configured to forward traffic to the LAN network and pass all other traffic past the VPN Connection through the users local network connection.
If you were to configure Full Tunnel VPN for the user this would mean that ALL traffic would be forwarded from the VPN Client through the ASA and the ASA would control where that traffic would be forwarded and if that traffic would be allowed.
If you want to look at the current configuration on the CLI you would first have to issue
show run tunnel-group
And find the connection that you are using at the moment. Then you would have to check what "group-policy" is configured under that "tunnel-group"
Then you could issue the command
show run group-policy
This would list you the Group Policy configuration for the VPN connection and would show something like this under it
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
The above configuration would show you the ACL that the VPN Client configuration is using to tell the VPN Client what traffic to send through the VPN Connection.
Hope this helps
- Jouni
01-18-2014 09:28 AM
Hi Mahesh,
Glad it helped.
If you want to change the above VPN configuration to use Full Tunnel you can try this
group-policy ipsec-group attributes
no split-tunnel-network-list value ipsec-group_splitTunnelAcl
split-tunnel-policy tunnelall
If you want to change it back to Split Tunnel then you naturally replace the above with the original configurations you had in your reply.
Notice however that now that all traffic from the VPN Client would be coming to the ASA you will also have to configure the ASA in a way that will allow the VPN users Internet connectivity (if that is what you want)
Typically this is done by adding
same-security-traffic permit intra-interface
The above command will allow the VPN user traffic coming from behind the external interface to leave to the Internet through that same external interface (in your case it might be "outside" if you are using the default interface nameif)
In addition to this you will need to perform NAT for the VPN Client users just like any LAN user behind the ASA.
This NAT configuration format naturally depends on your ASA software level
In Software 8.2 (and below) you might have the following default Dynamic PAT configuration already on the ASA
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
In this case you could simply add
nat (outside) 1
In Software 8.3 (and above) you could probably just adda a new Dynamic PAT configuration with the following commands
object network VPN-PAT
subnet
nat (outside,outside) dynamic interface
Hope this helps
- Jouni
01-18-2014 08:58 AM
Hi Mahesh,
You are using Split Tunnel VPN. This means that you have configured the VPN Client connection to only tunnel specific networks through the VPN Connection while its active. You have probably configured an ACL that contains your LAN network behind the ASA.
This means that only traffic destined to that LAN network mentioned in the ACL reaches your ASA through the VPN Connection.
The Internet traffic of the user or any traffic that is NOT destined to that network in the ACL will simply use the VPN Client users PCs local Internet connection or local network.
This is the reason you are not seeing any of the Internet connections from the VPN Client on the ASA. The VPN Client connection is only configured to forward traffic to the LAN network and pass all other traffic past the VPN Connection through the users local network connection.
If you were to configure Full Tunnel VPN for the user this would mean that ALL traffic would be forwarded from the VPN Client through the ASA and the ASA would control where that traffic would be forwarded and if that traffic would be allowed.
If you want to look at the current configuration on the CLI you would first have to issue
show run tunnel-group
And find the connection that you are using at the moment. Then you would have to check what "group-policy" is configured under that "tunnel-group"
Then you could issue the command
show run group-policy
This would list you the Group Policy configuration for the VPN connection and would show something like this under it
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
The above configuration would show you the ACL that the VPN Client configuration is using to tell the VPN Client what traffic to send through the VPN Connection.
Hope this helps
- Jouni
01-18-2014 09:21 AM
Hi Jouni,
Thanks for detailed explanation.
ASA1# sh run tunnel-group
tunnel-group ipsec-group type remote-access
tunnel-group ipsec-group general-attributes
address-pool 10-pool
default-group-policy ipsec-group
tunnel-group ipsec-group ipsec-attributes
ikev1 pre-shared-key *****
ASA1# sh run gro
ASA1# sh run group-p
ASA1# sh run group-policy ipsec-group
group-policy ipsec-group internal
group-policy ipsec-group attributes
dns-server value 64.59.144.19
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ipsec-group_splitTunnelAcl
Next i will config the VPN ASA without split tunnel and see how it behaves.
Regards
Mahesh
01-18-2014 09:28 AM
Hi Mahesh,
Glad it helped.
If you want to change the above VPN configuration to use Full Tunnel you can try this
group-policy ipsec-group attributes
no split-tunnel-network-list value ipsec-group_splitTunnelAcl
split-tunnel-policy tunnelall
If you want to change it back to Split Tunnel then you naturally replace the above with the original configurations you had in your reply.
Notice however that now that all traffic from the VPN Client would be coming to the ASA you will also have to configure the ASA in a way that will allow the VPN users Internet connectivity (if that is what you want)
Typically this is done by adding
same-security-traffic permit intra-interface
The above command will allow the VPN user traffic coming from behind the external interface to leave to the Internet through that same external interface (in your case it might be "outside" if you are using the default interface nameif)
In addition to this you will need to perform NAT for the VPN Client users just like any LAN user behind the ASA.
This NAT configuration format naturally depends on your ASA software level
In Software 8.2 (and below) you might have the following default Dynamic PAT configuration already on the ASA
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
In this case you could simply add
nat (outside) 1
In Software 8.3 (and above) you could probably just adda a new Dynamic PAT configuration with the following commands
object network VPN-PAT
subnet
nat (outside,outside) dynamic interface
Hope this helps
- Jouni
01-18-2014 09:32 AM
Hi Jouni,
I will mostly tests this sometime today.
Hope it should work as you all explained it very well.
If not i know you are always here to help me.
Best Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide