Solved: Re: Windows L2TP VPN Clients -- No Internet Access, Split-Tunnel

muranskycotech · ‎01-13-2010

Greetings!

I have four ASA 5505's that I have configured with 4 site-to-site VPN tunnels (working perfectly) to connect our 4 corporate facilities. These ASA's are also configured with L2TP/IPsec Remote Access so that a specific group of laptop users can connect in and access all facilities. This also works great except for one important exception-- my split-tunnel setting doesn't seem to be working, because I can't connect to Internet resources outside the VPN.

I accept the inherent risk of allowing split tunnels from a security standpoint since I'm taking appropriate steps to secure the systems being used for remote access. I would appreciate any feedback on how to get the split tunnel working.

Here's the configuration:

: Saved
:
ASA Version 8.2(1)11
!
hostname SGC
domain-name somewhere.com
names
name 192.168.2.0 GUEST description GUEST Local Network
name 75.185.129.13 SGC-External description INTERNAL ASA
name 172.22.0.0 SITE1-LAN description Ohio Management Network
name 172.23.0.0 SITE2-LAN description Lake Club Network
name 172.24.0.0 SITE3-LAN description Southwoods Network
name 123.234.8.124 SITE3-ASA description Southwoods ASA
name 192.168.10.0 INTERNAL description INTERNAL Local Network
name 192.168.11.0 INTERNAL-VPN description INTERNAL VPN Clients
name 192.168.10.4 Apollo description INTERNAL Domain Controller
name 192.168.10.2 DHD description Access Point #1
name 192.168.10.3 GDO description Access Point #2
name 192.168.10.5 Odyssey description INTERNAL Test Server
name 192.168.10.1 SGC-Internal description INTERNAL ASA
name 123.234.8.60 SITE1-ASA description Ohio Management ASA
name 123.234.8.189 SITE2-ASA description Lake Club ASA
name 10.1.0.0 SITE3-VOICE description Southwoods Voice Network
name 172.25.0.0 SITE3-WIFI description Southwoods Wireless Network
!
interface Vlan1
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan2
nameif INTERNAL
security-level 100
ip address SGC-Internal 255.255.255.0
!
interface Vlan3
nameif GUEST
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
description Time Warner Cable
!
interface Ethernet0/1
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/3
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/4
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/6
description Trunk Port for Wireless AP
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/7
description Trunk Port for Wireless AP
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport trunk native vlan 2
switchport mode trunk
!
boot system disk0:/asa821-11-k8.bin
boot config disk0:/config.txt
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup INTERNAL
dns domain-lookup GUEST
dns server-group DefaultDNS
name-server 4.2.2.2
domain-name somewhere.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq www
port-object eq https
port-object eq smtp
object-group network DM_INLINE_NETWORK_1
network-object SITE1-LAN 255.255.0.0
network-object SITE2-LAN 255.255.0.0
network-object SITE3-LAN 255.255.0.0
object-group network SITE3-GLOBAL
description Southwoods Global Network
network-object SITE3-LAN 255.255.0.0
network-object SITE3-VOICE 255.255.0.0
network-object SITE3-WIFI 255.255.0.0
object-group service DM_INLINE_TCP_2 tcp
port-object eq 5900
port-object eq 5901
object-group network INTERNAL-GLOBAL
description INTERNAL Global Network
network-object INTERNAL 255.255.255.0
network-object INTERNAL-VPN 255.255.255.0
access-list outside_access remark Allow Pings
access-list outside_access extended permit icmp any host SGC-External
access-list outside_access remark Allow VNC for Pitr
access-list outside_access extended permit tcp any host SGC-External object-group DM_INLINE_TCP_2
access-list outside_access remark INTERNAL Services
access-list outside_access extended permit tcp any host SGC-External object-group DM_INLINE_TCP_1
access-list DefaultRAGroup_splitTunnelAcl standard permit INTERNAL 255.255.255.0
access-list nonat extended permit ip INTERNAL 255.255.255.0 INTERNAL-VPN 255.255.255.0
access-list nonat extended permit ip object-group INTERNAL-GLOBAL SITE1-LAN 255.255.0.0
access-list nonat extended permit ip object-group INTERNAL-GLOBAL SITE2-LAN 255.255.0.0
access-list nonat extended permit ip object-group INTERNAL-GLOBAL object-group SITE3-GLOBAL
access-list INTERNAL-to-SITE1 extended permit ip object-group INTERNAL-GLOBAL SITE1-LAN 255.255.0.0
access-list INTERNAL-to-SITE3 extended permit ip object-group INTERNAL-GLOBAL object-group SITE3-GLOBAL
access-list INTERNAL-to-SITE2 extended permit ip object-group INTERNAL-GLOBAL SITE2-LAN 255.255.0.0
no pager
logging enable
logging asdm warnings
logging debug-trace
mtu outside 1500
mtu INTERNAL 1500
mtu GUEST 1500
ip local pool INTERNAL-VPN 192.168.11.1-192.168.11.25 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (INTERNAL) 0 access-list nonat
nat (INTERNAL) 1 0.0.0.0 0.0.0.0
nat (GUEST) 1 0.0.0.0 0.0.0.0
static (GUEST,outside) tcp interface 5900 Pitr 5900 netmask 255.255.255.255
static (INTERNAL,outside) tcp interface 3389 Apollo 3389 netmask 255.255.255.255
static (INTERNAL,outside) tcp interface www Apollo www netmask 255.255.255.255
static (INTERNAL,outside) tcp interface https Apollo https netmask 255.255.255.255
static (INTERNAL,outside) tcp interface smtp Apollo smtp netmask 255.255.255.255
static (GUEST,outside) tcp interface 5901 Puppy 5901 netmask 255.255.255.255
access-group outside_access in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Apollo protocol radius
aaa-server Apollo (INTERNAL) host Apollo
timeout 5
key ******
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 INTERNAL
http 0.0.0.0 0.0.0.0 GUEST
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
crypto map outside_map 1 match address INTERNAL-to-SITE1
crypto map outside_map 1 set peer SITE1-ASA
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address INTERNAL-to-SITE3
crypto map outside_map 2 set peer SITE3-ASA
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address INTERNAL-to-SITE2
crypto map outside_map 3 set peer SITE2-ASA
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-delimiter @
telnet SITE3-ASA 255.255.255.255 outside
telnet SITE2-ASA 255.255.255.255 outside
telnet SITE1-ASA 255.255.255.255 outside
telnet 0.0.0.0 0.0.0.0 INTERNAL
telnet 0.0.0.0 0.0.0.0 GUEST
telnet timeout 60
ssh scopy enable
ssh SITE3-ASA 255.255.255.255 outside
ssh SITE2-ASA 255.255.255.255 outside
ssh SITE1-ASA 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 INTERNAL
ssh 0.0.0.0 0.0.0.0 GUEST
ssh timeout 60
console timeout 0
management-access INTERNAL
l2tp tunnel hello 100
dhcp-client client-id interface outside
dhcpd dns 4.2.2.1 4.2.2.2
dhcpd ping_timeout 750
dhcpd auto_config outside
!
dhcpd address 192.168.10.100-192.168.10.200 INTERNAL
dhcpd dns Apollo Odyssey interface INTERNAL
dhcpd domain somewhere.com interface INTERNAL
dhcpd option 150 ip 10.1.1.40 interface INTERNAL
dhcpd enable INTERNAL
!
dhcpd address 192.168.2.100-192.168.2.200 GUEST
dhcpd dns 4.2.2.1 4.2.2.2 interface GUEST
dhcpd enable GUEST
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18 source outside prefer
webvpn
enable outside
csd image disk0:/securedesktop-asa-3.4.2048.pkg
svc image disk0:/sslclient-win-1.1.4.179.pkg 1
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 2
svc enable
group-policy DefaultRAGroup INTERNAL
group-policy DefaultRAGroup attributes
dns-server value 192.168.10.4
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value somewhere.com
group-policy DefaultWEBVPNGroup INTERNAL
group-policy DefaultWEBVPNGroup attributes
vpn-tunnel-protocol webvpn
group-policy DefaultL2LGroup INTERNAL
group-policy DefaultL2LGroup attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy DefaultACVPNGroup INTERNAL
group-policy DefaultACVPNGroup attributes
vpn-tunnel-protocol svc
group-policy DfltGrpPolicy attributes
dns-server value 192.168.10.4 4.2.2.2
vpn-simultaneous-logins 25
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value somewhere.com
address-pools value INTERNAL-VPN
smartcard-removal-disconnect disable
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
tunnel-group DefaultRAGroup general-attributes
address-pool INTERNAL-VPN
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool INTERNAL-VPN
default-group-policy DefaultWEBVPNGroup
tunnel-group 123.234.8.60 type ipsec-l2l
tunnel-group 123.234.8.60 ipsec-attributes
pre-shared-key *
tunnel-group 123.234.8.124 type ipsec-l2l
tunnel-group 123.234.8.124 ipsec-attributes
pre-shared-key *
tunnel-group 123.234.8.189 type ipsec-l2l
tunnel-group 123.234.8.189 ipsec-attributes
pre-shared-key *
tunnel-group DefaultACVPNGroup type remote-access
tunnel-group DefaultACVPNGroup general-attributes
address-pool INTERNAL-VPN
default-group-policy DefaultACVPNGroup
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:423c807c0d63cb3e9aeceda977053f84
: end
asdm image disk0:/asdm-623.bin
asdm location Pitr 255.255.255.255 INTERNAL
asdm location SGC-External 255.255.255.255 INTERNAL
asdm location SITE1-LAN 255.255.0.0 INTERNAL
asdm location SITE2-LAN 255.255.0.0 INTERNAL
asdm location SITE3-LAN 255.255.0.0 INTERNAL
asdm location SITE3-ASA 255.255.255.255 INTERNAL
asdm location GDO 255.255.255.255 INTERNAL
asdm location SITE1-ASA 255.255.255.255 INTERNAL
asdm location SITE2-ASA 255.255.255.255 INTERNAL
asdm location SITE3-VOICE 255.255.0.0 INTERNAL
asdm location Puppy 255.255.255.255 INTERNAL
asdm history enable

I should also mention that my test clients are a combination of Windows XP, Windows 7, and Windows Mobile. Other than specifying the pre-shared key and forcing L2TP/IPsec on the client side, the VPN settings on the clients are default settings with MS-CHAP/MS-CHAPv2 support.

gammatel1 · ‎01-13-2010

You need to configure *intercept-dhcp enable* under your group-policy:

group-policy DefaultRAGroup attributes

dns-server value 192.168.10.4
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value somewhere.com

intercept-dhcp enable

Also - the latptop VPN clients (which I assume are on windows machines) need to have the *Use default gateway on remote network* box unchecked. This is found under the advanced tab of TCP/IP properties for the VPN Client. Select VPN Client > Properties > Networking > Internet Protocol TCP/IP > Properties > Advanced and clear the check box.

Alex

View solution in original post

gammatel1 · ‎01-13-2010

You need to configure *intercept-dhcp enable* under your group-policy:

group-policy DefaultRAGroup attributes

dns-server value 192.168.10.4
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value somewhere.com

intercept-dhcp enable

Also - the latptop VPN clients (which I assume are on windows machines) need to have the *Use default gateway on remote network* box unchecked. This is found under the advanced tab of TCP/IP properties for the VPN Client. Select VPN Client > Properties > Networking > Internet Protocol TCP/IP > Properties > Advanced and clear the check box.

Alex

muranskycotech · ‎01-13-2010

Thanks for the response. I gave this a go tonight and had some great results...

Yes, it does allow my VPN connection to access the Internet AND the resources on the local network I'm connected to... however, I initially lost access to my other remote sites (which are connected by site-to-site VPN). I had to compensate by adding those networks to my DefaultRAGroup_splitTunnel access list, and that gave me the desired results. Specifically, I ran the following to get this all up and running:

access-list DefaultRAGroup_splitTunnelAcl standard permit somewhere.com 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl standard permit SITE1-LAN 255.255.0.0

access-list DefaultRAGroup_splitTunnelAcl standard permit SITE2-LAN 255.255.0.0

access-list DefaultRAGroup_splitTunnelAcl standard permit SITE3-LAN 255.255.0.0

access-list DefaultRAGroup_splitTunnelAcl standard permit SITE3-WIFI 255.255.0.0

access-list DefaultRAGroup_splitTunnelAcl standard permit SITE3-VOICE 255.255.0.0

group-policy DefaultRAGroup attributes

intercept-dhcp enable

As a follow-up question, is there a way to set the "remote gateway" parameter on mobile devices like Windows Mobile, Android, or the iPhone? What about Macs?

gammatel1 · ‎01-14-2010

Before you had split-tunneling working, your VPN clients would have had a default-route pointing all traffic down the vpn-tunnel. Now that you have split-tunneling working only the networks listed in your split-tunnel ACL are passed to the VPN client and installed into the windows routing table. There is still a default route in your windows routing table - but this is the one used for your ADSL connection (or whatever is used to access the internet). If you check the windows routing you will see what I mean.

This is the partial output of my windows routing table after my VPN client has connected:

Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0       10.10.10.1      10.10.10.3       10
         10.0.0.0    255.255.255.0       10.0.24.18      10.0.24.18       1
         10.0.5.0    255.255.255.0       10.0.24.18      10.0.24.18       1
        10.0.10.0    255.255.255.0       10.0.24.18      10.0.24.18       1
        10.0.20.0    255.255.255.0       10.0.24.18      10.0.24.18       1
        10.0.22.0    255.255.255.0       10.0.24.18      10.0.24.18       1

The default is still to my ADSL router and the split-tunnel networks are routed via my VPN client connection.

Im not familiar with configuring the other devices you have requested help with - so appologies.

Alex

muranskycotech · ‎01-14-2010

No worries on the other devices... I appreciate your time and assistance, it was definitely most helpful! Thank you!

Windows L2TP VPN Clients -- No Internet Access, Split-Tunnel not Working