Solved: Unable to see logs while using split tunnel for RA

mahesh18 · ‎01-18-2014

hi everyone,

I have config RA VPN at my home lab using split tunnel.

I can connect fine and able to browse the internet.

When i go to internet sites i do not see logs generated on the VPN ASA?

Need to understand whats the reason behind this?

ASA1# sh conn all

5 in use, 12 most used

UDP outside 10.0.0.51:138 inside 10.0.0.255:138, idle 0:01:38, bytes 201, flags -

TCP outside 192.168.98.2:49509 NP Identity Ifc 192.168.1.171:443, idle 0:00:07, bytes 1067370, flags UOB

TCP outside 192.168.98.2:49507 NP Identity Ifc 192.168.1.171:443, idle 0:00:03, bytes 137779, flags UOB

UDP outside 192.168.98.2:49903 NP Identity Ifc 192.168.1.171:500, idle 0:00:01, bytes 40927, flags -

TCP outside 192.168.99.2:35902 NP Identity Ifc 192.168.1.171:22, idle 0:00:00, bytes 179887, flags UOB

Where 192.168.98.2 is IP of PC.

10.0.0.51 is IP assigned from VPN pool to PC.

Regards

Mahesh

Jouni Forss · ‎01-18-2014

Hi Mahesh,

You are using Split Tunnel VPN. This means that you have configured the VPN Client connection to only tunnel specific networks through the VPN Connection while its active. You have probably configured an ACL that contains your LAN network behind the ASA.

This means that only traffic destined to that LAN network mentioned in the ACL reaches your ASA through the VPN Connection.

The Internet traffic of the user or any traffic that is NOT destined to that network in the ACL will simply use the VPN Client users PCs local Internet connection or local network.

This is the reason you are not seeing any of the Internet connections from the VPN Client on the ASA. The VPN Client connection is only configured to forward traffic to the LAN network and pass all other traffic past the VPN Connection through the users local network connection.

If you were to configure Full Tunnel VPN for the user this would mean that ALL traffic would be forwarded from the VPN Client through the ASA and the ASA would control where that traffic would be forwarded and if that traffic would be allowed.

If you want to look at the current configuration on the CLI you would first have to issue

show run tunnel-group

And find the connection that you are using at the moment. Then you would have to check what "group-policy" is configured under that "tunnel-group"

Then you could issue the command

show run group-policy

This would list you the Group Policy configuration for the VPN connection and would show something like this under it

split-tunnel-policy tunnelspecified

split-tunnel-network-list value

The above configuration would show you the ACL that the VPN Client configuration is using to tell the VPN Client what traffic to send through the VPN Connection.

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎01-18-2014

Hi Mahesh,

Glad it helped.

If you want to change the above VPN configuration to use Full Tunnel you can try this

group-policy ipsec-group attributes

no split-tunnel-network-list value ipsec-group_splitTunnelAcl

split-tunnel-policy tunnelall

If you want to change it back to Split Tunnel then you naturally replace the above with the original configurations you had in your reply.

Notice however that now that all traffic from the VPN Client would be coming to the ASA you will also have to configure the ASA in a way that will allow the VPN users Internet connectivity (if that is what you want)

Typically this is done by adding

same-security-traffic permit intra-interface

The above command will allow the VPN user traffic coming from behind the external interface to leave to the Internet through that same external interface (in your case it might be "outside" if you are using the default interface nameif)

In addition to this you will need to perform NAT for the VPN Client users just like any LAN user behind the ASA.

This NAT configuration format naturally depends on your ASA software level

In Software 8.2 (and below) you might have the following default Dynamic PAT configuration already on the ASA

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

In this case you could simply add

nat (outside) 1

In Software 8.3 (and above) you could probably just adda a new Dynamic PAT configuration with the following commands

object network VPN-PAT

subnet

nat (outside,outside) dynamic interface

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎01-18-2014

Hi Mahesh,

You are using Split Tunnel VPN. This means that you have configured the VPN Client connection to only tunnel specific networks through the VPN Connection while its active. You have probably configured an ACL that contains your LAN network behind the ASA.

This means that only traffic destined to that LAN network mentioned in the ACL reaches your ASA through the VPN Connection.

The Internet traffic of the user or any traffic that is NOT destined to that network in the ACL will simply use the VPN Client users PCs local Internet connection or local network.

This is the reason you are not seeing any of the Internet connections from the VPN Client on the ASA. The VPN Client connection is only configured to forward traffic to the LAN network and pass all other traffic past the VPN Connection through the users local network connection.

If you were to configure Full Tunnel VPN for the user this would mean that ALL traffic would be forwarded from the VPN Client through the ASA and the ASA would control where that traffic would be forwarded and if that traffic would be allowed.

If you want to look at the current configuration on the CLI you would first have to issue

show run tunnel-group

And find the connection that you are using at the moment. Then you would have to check what "group-policy" is configured under that "tunnel-group"

Then you could issue the command

show run group-policy

This would list you the Group Policy configuration for the VPN connection and would show something like this under it

split-tunnel-policy tunnelspecified

split-tunnel-network-list value

The above configuration would show you the ACL that the VPN Client configuration is using to tell the VPN Client what traffic to send through the VPN Connection.

Hope this helps

- Jouni

mahesh18 · ‎01-18-2014

Hi Jouni,

Thanks for detailed explanation.

ASA1# sh run tunnel-group

tunnel-group ipsec-group type remote-access

tunnel-group ipsec-group general-attributes

address-pool 10-pool

default-group-policy ipsec-group

tunnel-group ipsec-group ipsec-attributes

ikev1 pre-shared-key *****

ASA1# sh run gro

ASA1# sh run group-p

ASA1# sh run group-policy ipsec-group

group-policy ipsec-group internal

group-policy ipsec-group attributes

dns-server value 64.59.144.19

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ipsec-group_splitTunnelAcl

Next i will config the VPN ASA without split tunnel and see how it behaves.

Regards

Mahesh

Jouni Forss · ‎01-18-2014

Hi Mahesh,

Glad it helped.

If you want to change the above VPN configuration to use Full Tunnel you can try this

group-policy ipsec-group attributes

no split-tunnel-network-list value ipsec-group_splitTunnelAcl

split-tunnel-policy tunnelall

If you want to change it back to Split Tunnel then you naturally replace the above with the original configurations you had in your reply.

Notice however that now that all traffic from the VPN Client would be coming to the ASA you will also have to configure the ASA in a way that will allow the VPN users Internet connectivity (if that is what you want)

Typically this is done by adding

same-security-traffic permit intra-interface

The above command will allow the VPN user traffic coming from behind the external interface to leave to the Internet through that same external interface (in your case it might be "outside" if you are using the default interface nameif)

In addition to this you will need to perform NAT for the VPN Client users just like any LAN user behind the ASA.

This NAT configuration format naturally depends on your ASA software level

In Software 8.2 (and below) you might have the following default Dynamic PAT configuration already on the ASA

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

In this case you could simply add

nat (outside) 1

In Software 8.3 (and above) you could probably just adda a new Dynamic PAT configuration with the following commands

object network VPN-PAT

subnet

nat (outside,outside) dynamic interface

Hope this helps

- Jouni

mahesh18 · ‎01-18-2014

Hi Jouni,

I will mostly tests this sometime today.

Hope it should work as you all explained it very well.

If not i know you are always here to help me.

Best Regards

MAhesh