Re: ASA5510 Split tunnel VPN client can not access internal VLANs

richardlaiCanada · ‎11-11-2021

ello Good day, I am running some issue with upgrading my system, as attached diagram, I have a HPE 2920 48G L3 switch behind my ASA5510, and I have setup the 4 VLANs, Anyconnect VPN, when I have no issue at all to VPN in and access all of the inside 10.10.10.0 network and VLAN 100,200 and 50, but after i setup the split tunnel for my Anyconnect, I can only VPN in to my inside 10.10.10.0 network. googled some of the solution and add route for my VPN pool (10.248.248.0) to 10.10.10.254 or 192.168.200.0 (192.168.100.0), none of them work, lost myself here. if you can help me out or any suggestion that will be great appreciate.

I have attached my ASA5510 and my HPE 2920 running configuration for your reference.

Again thanks in advance!

Richard

paul driver · ‎11-12-2021

Hello
I think what imaybe happening is your anyconnect clients are subjected to being natted for their retruing traffic, try the following:

no nat (inside,any) source dynamic OBJ_Specific_192.168.100.0 192.168.0.5
no nat (inside,any) source dynamic OBJ_Specific_192.168.200.0 192.168.0.4

no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.249.249.0_25 NETWORK_OBJ_10.249.249.0_25 no-proxy-arp route-lookup
no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.248.248.0_25 NETWORK_OBJ_10.248.248.0_25 no-proxy-arp route-lookup
no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.247.247.0_28 NETWORK_OBJ_10.247.247.0_28 no-proxy-arp route-lookup

group-policy GroupPolicy_RichardHomeVPN attributes
vpn-tunnel-protocol ssl-client ssl-clientless
address-pool ANYCONNECT-POOL
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL

nat (inside,outside) source static network Obj-0.0.0.0 network Obj-0.0.0.0 NETWORK_OBJ_10.249.249.0_25 NETWORK_OBJ_10.249.249.0_25
nat (inside,outside) source static network Obj-0.0.0.0 network Obj-0.0.0.0 NETWORK_OBJ_10.248.248.0_25 NETWORK_OBJ_10.248.248.0_25
nat (inside,outside) source static network Obj-0.0.0.0 network Obj-0.0.0.0 NETWORK_OBJ_10.247.247.0_28 NETWORK_OBJ_10.247.247.0_28

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

richardlaiCanada · ‎11-12-2021

Hey Paul,

That seems not working, I have apply you recommendation, I did lost my internet when I was in my home.

Georg Pauwen · ‎11-12-2021

Hello,

remove these three lines:

--> no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.249.249.0_25 NETWORK_OBJ_10.249.249.0_25 no-proxy-arp route-lookup
--> no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.248.248.0_25 NETWORK_OBJ_10.248.248.0_25 no-proxy-arp route-lookup
--> no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.247.247.0_28 NETWORK_OBJ_10.247.247.0_28 no-proxy-arp route-lookup

and add these three lines instead:

nat (inside,outside) source static network Obj_10.10.10.0 network Obj_10.10.10.0 static NETWORK_OBJ_10.249.249.0_25 NETWORK_OBJ_10.249.249.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static network Obj_10.10.10.0 network Obj_10.10.10.0 static NETWORK_OBJ_10.248.248.0_25 NETWORK_OBJ_10.248.248.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static network Obj_10.10.10.0 network Obj_10.10.10.0 static NETWORK_OBJ_10.247.247.0_28 NETWORK_OBJ_10.247.247.0_28 no-proxy-arp route-lookup

richardlaiCanada · ‎11-12-2021

Hi Georg, I am confuse , when I first apply the solution, I was gradually apply 10.248.248.0 network and did not work and then I applied 10.247.247.0 and 10.249.249.0, and it works right after I applied, then I did couple of test between my normal VPN which block all of the local internet and switch back to split tunnel, then it did not work at all, I was thinking may be I modified something unconsciously, so I reload the backup and back to original which is exactly as what I posted, but since then I don't have any luck, not matter I change one , two or all of the three 10 network as you recommend or change the sequence of the three network, I can only get split tunnel work for 10 network. any idea? I am sure it was working one time. but not any more. Thnaks

Richard

richardlaiCanada · ‎11-12-2021

Also Georg, I noticed when I applied your recommendation, the normal VPN can only access 10 network but all other vlans (200 and 100, 50)

Georg Pauwen · ‎11-12-2021

Hello,

you are right, only the 10.10.10.0/24 is accessible because that is the only network that has the NAT exemptions...

Add the below to your config:

object network NETWORK_OBJ_192.168.50.0_24
subnet 192.168.50.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.0_24
subnet 192.168.200.0 255.255.255.0
!
nat (inside,outside) source static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 static NETWORK_OBJ_10.249.249.0_25 NETWORK_OBJ_10.249.249.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 static NETWORK_OBJ_10.248.248.0_25 NETWORK_OBJ_10.248.248.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 static NETWORK_OBJ_10.247.247.0_28 NETWORK_OBJ_10.247.247.0_28 no-proxy-arp route-lookup
!
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 static NETWORK_OBJ_10.249.249.0_25 NETWORK_OBJ_10.249.249.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 static NETWORK_OBJ_10.248.248.0_25 NETWORK_OBJ_10.248.248.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 static NETWORK_OBJ_10.247.247.0_28 NETWORK_OBJ_10.247.247.0_28 no-proxy-arp route-lookup
!
nat (inside,outside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 static NETWORK_OBJ_10.249.249.0_25 NETWORK_OBJ_10.249.249.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 static NETWORK_OBJ_10.248.248.0_25 NETWORK_OBJ_10.248.248.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 static NETWORK_OBJ_10.247.247.0_28 NETWORK_OBJ_10.247.247.0_28 no-proxy-arp route-lookup

richardlaiCanada · ‎11-13-2021

Hey Georg,

I have not had good luck for incorporating your recommendation. I was use ASDM and try add the same nat rule and got translate source IP overlap with VPN IP pool as attached.

paul driver · ‎11-13-2021

Hello

@richardlaiCanada wrote:

so I reload the backup and back to original which is exactly as what I posted,

Going back to your OP you show two group polices so as i am not aware of what gp your anyconnect client is using I asked you to apply the split policy acl that was missing to the first group policy - GroupPolicy_RichardHomeVPN , did you do this, Also the SPLIT_TUNNEL acl needs to specify ALL inside networks that you ONLY want to access through the tunnel plus you need to disconnect the vpn client and reconnect for any changes to take effect.?

access-list SPLIT_TUNNEL standard permit 10.10.10.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit x.x.x.x. (any other subnets)

group-policy GroupPolicy_RichardHomeVPN internal
group-policy GroupPolicy_RichardHomeVPN attributes
vpn-tunnel-protocol ssl-client ssl-clientless
address-pool ANYCONNECT-POOL
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL

Lasty when you connect to the firewall via the client run the following command and post its result.
show vpn-sessiondb anyconnect

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

richardlaiCanada · ‎11-14-2021

Hey Paul, Thanks for looking at this for me. I should clarify this bit more. I have two SSL VPN setup, one is the normal which is working okay and use ip addess pool 10.247.247.0 but it block my local laptop internet access. meanwhile once I vpn in, I have no problem at all to access all my 10.10.10.0( inside) and all other internal vlans which are setup on my HPE 2920 switch. I have also setup another spit tunnel VPN and use ip address pool 10.248.248.0, for the split tunnel, I can only access 10.10.10.0 inside network but no access for any other vlans (200,100 and 50 network), also I have tried to add ant other network such as my 200,100 and 50 network objects, but it does not show when tried as attached screenshot. I kind of stocked there.

I also tried to added those network in CLI windows, but no luck at all.

When I have my vpn client connect, I am able to see the session being built up and proper IP being assign not matter for the normal VPN or split VPN and they are with proper VPN ip address pool accordingly. do you have any other suggestion?

Thanks

Richard

paul driver · ‎11-14-2021

Hello
So just to confirm the ST access-lits it for networks that needs to be accessed via the client vpn tunnel (split-tunnel-policy tunnelspecified)
Now looking at your screen shot, this is setup via ASDM, now in the advanced properties of the spilt-tunnel i see the network list IS NOT selected(inherit), which I believe needs to be for the FW to call upon the access-list in relation to what network you would like to be accessed via the vpn.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul