Help With split tunneling and multiple subnets behind asa

Joe Lentine · ‎03-21-2013

Hello All,

our vpn clients can no longer access internet while connected to vpn.

I was hoping I could get an answer on here for an issue we are having. let me explain this with as little words as possible.

here was old network layout:

ASA

192.168.1.1 ----> the rest of the internal subnet (was only subnet in network)

now

ASA 3560

192.168.254.1/24 ----->192.168.254.2/24-->192.168.1.1/24

192.168.2.1/24

so what we did was route from 3560 to asa so we would be able to have multiple subnets since our asa has base license.

Our vpn with easy connect worked with our split tunneling before and now we made the change above and it no longer works. Can someone help me out as to why it no longer works and what changed need to be made to make it work.

Thank you.

ciscoasa# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
enable password 1N7bTm05RXLnBcUc encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.254.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2

!
ftp mode passive
clock timezone est -5
same-security-traffic permit intra-interface
access-list NoNat extended permit ip any 172.16.5.0 255.255.255.0
access-list SplitTunnel standard permit 192.168.1.0 255.255.255.0
access-list SplitTunnel standard permit 192.168.2.0 255.255.255.0
access-list SplitTunnel standard permit 192.168.254.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 172.16.5.1-172.16.5.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 192.168.1.0 255.255.255.0 192.168.254.2 1
route inside 192.168.2.0 255.255.255.0 192.168.254.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TransformSet1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DynamicMap1 1 set transform-set TransformSet1
crypto map MainMap 999 ipsec-isakmp dynamic DynamicMap1
crypto map MainMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.90.182.55 source outside
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy RenotreUsers internal
group-policy RemoteUsers internal
group-policy RemoteUsers attributes
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel

tunnel-group RemoteUsers type remote-access
tunnel-group RemoteUsers general-attributes
address-pool VPNPool
default-group-policy RemoteUsers
tunnel-group RemoteUsers webvpn-attributes
group-alias Southeast-Security-VPN enable
tunnel-group RemoteUsers ipsec-attributes
pre-shared-key *****

Collin Clark · ‎03-21-2013

When you connect with a client, does it only show the SplitTunnel networks in the Route Details (in AnyConnect software)?

Joe Lentine · ‎03-21-2013

Thanks for your reply,

It only shows a route for 192.168.1.0/24 which used to be directly connected to the ASA. it is now behind the 3560.

how do you configure what shows up in the client software, and i dont understand how having that enables internet access for vpn clients.. does it send the traffic to the 192.168.1.0/24 and then out like it would internally?

thanks,

Joe

Joe Lentine · ‎03-21-2013

actually to update what i just said. it shows all of the routes i put in my access list "SplitTunnel" so i can now get to my 192.168.2.0/24 which is what also was not working. but I still do not have internet access when connected to vpn.

thanks,

Collin Clark · ‎03-21-2013

I think it could be your NAT statement. You should try an avoid using any unless you tunnel everything. Try making this change

no access-list NoNat extended permit ip any 172.16.5.0 255.255.255.0

object-group network INTERNAL_NETWORKS

description Internal Networks

network-object 192.168.1.0 255.255.255.0

network-object 192.168.2.0 255.255.255.0

network-object 192.168.254.0 255.255.255.0

access-list NoNat extended permit ip object-group INTERNAL_NETWORKS 172.16.5.0 255.255.255.0

You may have to re-add your NAT0

nat (inside) 0 access-list NoNat

Joe Lentine · ‎03-21-2013

still no internet access

Collin Clark · ‎03-21-2013

Hmmm, split tunnel is usually pretty easy. Just for verification, you can access all of your internal networks correct? When connected can you ping an internet address by IP? Can you check your logs and see if there is a deny or nat log statement?

Joe Lentine · ‎03-21-2013

i can get out on web browser to external IP;s so it seems to be a dns.

Collin Clark · ‎03-21-2013

Good to hear it's something simple

Javier Portuguez · ‎03-21-2013

Hi Joe,

Make sure you include the DNS server in the group-policy and that you can reach the DNS server.

HTH.

Portu.