10-20-2012 09:00 PM
Client(remote site)=====Internet cloud=====ASA(HQ)
Objective, Clinet visit some website(being blocked on the Remote FW ) on the internet through HQ ASA, all the other web sites through the
remote directly.
what I want is to split the tunnel. and I prefer to use "excluding" an ACL.I configured it from the ASDM. it seems like it does not work. all the traffic are still being tunneled to the ASA and not split.
By the way, do I have to check "Allow Local LAN Access" on Transport tab on the client side?
group-policy newgroup attributes
dns-server value X.X.X.X
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value ExcludedIP
split-dns none
!!!!some of the entries in the ACL list
...
access-list ExcludedIP standard permit 48.14.0.0 255.254.0.0
access-list ExcludedIP standard permit 48.16.0.0 255.255.0.0
....
When the user client trace the 48.14.0.0.0 network, it went to the ASA first...
Any idea?
thanks
Han
Solved! Go to Solution.
10-21-2012 09:06 PM
Hi Han,
I am sorry for any delay.
I have duplicated this and this is what you should expect:
tunnel-group RA type remote-access
tunnel-group RA general-attributes
address-pool VPN_POOL
default-group-policy RA
tunnel-group RA ipsec-attributes
ikev1 pre-shared-key *****
!
group-policy RA internal
group-policy RA attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy excludespecified
split-tunnel-network-list value RA_EXCLUDE
!
access-list RA_EXCLUDE standard permit host 4.2.2.2
access-list RA_EXCLUDE standard permit host 0.0.0.0
access-list RA_EXCLUDE standard permit 10.198.12.0 255.255.255.0
access-list RA_EXCLUDE standard permit 10.198.16.0 255.255.255.0
Now I tested with the latest VPN client available on CCO running on a Windows 7 machine x86.
You should not experience any issues.
As agreed before, please test from a different machine and let me know.
Thanks.
Portu.
Please rate any helpful posts
10-20-2012 11:19 PM
Hi Han,
Do you see those networks in the "Local LAN Routes" box?
VPN Client --> Status --> Statistics --> Route details
How do you know that it goes to the ASA? Have you run a capture on the LAN adapter and VPN adapter to confirm this?
Thanks.
Portu.
Please rate any helpful posts
10-20-2012 11:43 PM
Hi, Javier,
as for you quesitons,
How do you know that it goes to the ASA? Have you run a capture on the LAN adapter and VPN adapter to confirm this?
A: I ran tracert from the client and it goes to the ASA.
Do you see those networks in the "Local LAN Routes" box?
A: Yes, there is nothing under "The Local LAN routes" and there is 0.0.0.0 "under secured routes"
and when I checked "allow local lan". I can see the list in on the "Local Lan routes". But my client cannot login, if the client is checked with "allow local lan".
thanks,
Han
10-20-2012 11:49 PM
Han,
It is interesting indeed.
Are you running the latest client version?
Does this happen to other machines?
Assuming that you are connecting to the correct group and getting the right group-policy it should be working fine.
Portu.
10-20-2012 11:54 PM
Javier, i just added more info on the last post, please take a look.
thanks,
Han
10-21-2012 12:00 AM
How do you know a flow of packets are through the ASA or not?
thanks,
Han
10-21-2012 12:17 AM
Han,
Could you please follow this link and make sure just test it as it is, then you could adjust your settings:
PIX/ASA 7.x: Allow Local LAN Access for Cisco VPN Client / SVC Configuration Example
I do not have an ASA handy, but I could give it a try in the morning (I am in MST).
Thanks.
Portu.
10-21-2012 12:55 AM
sure, thansk, by the way, i think the problem is on the client side, everytime i check the "allow the local lan", it cannot log in to the vpn...
i see it never went into ipsec phase.
May it is the individual problem. but what can it be?
10-21-2012 09:06 PM
Hi Han,
I am sorry for any delay.
I have duplicated this and this is what you should expect:
tunnel-group RA type remote-access
tunnel-group RA general-attributes
address-pool VPN_POOL
default-group-policy RA
tunnel-group RA ipsec-attributes
ikev1 pre-shared-key *****
!
group-policy RA internal
group-policy RA attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy excludespecified
split-tunnel-network-list value RA_EXCLUDE
!
access-list RA_EXCLUDE standard permit host 4.2.2.2
access-list RA_EXCLUDE standard permit host 0.0.0.0
access-list RA_EXCLUDE standard permit 10.198.12.0 255.255.255.0
access-list RA_EXCLUDE standard permit 10.198.16.0 255.255.255.0
Now I tested with the latest VPN client available on CCO running on a Windows 7 machine x86.
You should not experience any issues.
As agreed before, please test from a different machine and let me know.
Thanks.
Portu.
Please rate any helpful posts
10-22-2012 07:24 AM
Portu,
You are right, I changed to a different PC, it worked well. The first PC's client is having some issue I don't know. And it is not a big concern of ours.
Thanks for the help.
Han
10-22-2012 08:54 AM
Great news!! I am glad to hear that
Thanks for couting on us!
Hope you have a great time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide