cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16510
Views
5
Helpful
4
Replies

ASA 5505 Split Tunneling Configured But Still Tunneling All Traffic

jeffhochberg
Level 1
Level 1

Hello,

I have setup an ASA 5505 running 8.3.2 and the Cisco AnyConnect Client 2.5.2017.

There is the DefaultRAGroup and a newly configured group called SplitTunnelNets.

I have 1 internal subnet (192.168.223.0/24) that has a corresponding ACL/ACE configured on both the DefaultRAGroup and the custom Group Policy called SSLClientPolicy.

When I intiate the VPN connection to the ASA, I can indeed reach internal resources, but when I look at the routing table, I see a new default gateway route 0.0.0.0/0 -> 192.168.25.2 (which is in the IP pool) with a metric of 2.  The default route before the AnyConnect session was initiated now has a higher metric, so the 192.168.25.2 next-hop is taking precedence.

I do not see any routes in the routing table for 192.168.223.0/24 like I would expect to see.  In the AnyConnect diagnostics, I see that 0.0.0.0/0 is the policy applied to the client.

Here's my configuration.  Please tell me if you see something that I am missing.

ASA Version 8.3(2)
!
hostname asa

names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.223.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.223.41
domain-name labs.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network vpn-client-net
subnet 192.168.25.0 255.255.255.0
object network internal-net
subnet 192.168.223.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object internal-net
network-object object vpn-client-net
object-group network DM_INLINE_NETWORK_2
network-object object internal-net
network-object object vpn-client-net
access-list SplitTunnelNets extended permit ip any 192.168.223.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static internal-net internal-net destination static vpn-client-net vpn-client-net
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Labs-LDAP protocol ldap
aaa-server Lab-LDAP (inside) host 192.168.223.41
server-port 636
ldap-base-dn dc=labs,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn ldap-bind@labs.com
ldap-over-ssl enable
server-type microsoft
http server enable
http 192.168.223.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self

keypair sslvpnkeypair
crl configure
crypto ca trustpoint ASDM_TrustPoint1
keypair ASDM_TrustPoint1
crl configure
crypto ca certificate chain ASDM_TrustPoint0

telnet 192.168.223.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.223.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.41
ntp server 192.5.41.40
ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
no anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2017-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-3.0.0629-k9.pkg 2
svc image disk0:/anyconnect-linux-3.0.0629-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.223.41
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified


split-tunnel-network-list value SplitTunnelNets


default-domain value labs.com
split-dns value labs.com
address-pools value SSLClientPool
webvpn
  svc keep-installer installed
group-policy DfltGrpPolicy attributes
dns-server value 192.168.223.41
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelNets
default-domain value coyotelabs.com
service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group CoyoteLabs-LDAP
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias CoyoteLabs enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:95b7ff58b54e02948a14b225eec1a990
: end

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

The split tunnel access-list has to be standard access-list, not extended access-list.

You would need to change the following:
FROM: access-list SplitTunnelNets extended permit ip any 192.168.223.0 255.255.255.0
TO: access-list SplitTunnelNets standard permit 192.168.223.0 255.255.255.0

You should be able to reconnect again, and will be able to access the Internet after configuring the split tunnel with standard access-list.

Hope that helps.

View solution in original post

hdashnau
Cisco Employee
Cisco Employee

Just for clarification, the access-list does not need to be a standard  access-list. You can use an extended access-list too.

The reason your  extended access-list wasn't working as you wanted was because it was defined in the wrong order. To use an extended access-list for split-tunneling  in VPN, you put the "internal" network (192.168.223.0) in the source position and the  vpn pool network (192.168.25.0 or any) in the desitination position. So this is what the extended acl would look like in your scenario:

access-list SplitTunnelNets extended permit ip 192.168.223.0 255.255.255.0 192.168.25.0 255.255.255.0

-heather

Please remember to rate all posts that helped you and mark the question as resolved if this addressed your question.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

The split tunnel access-list has to be standard access-list, not extended access-list.

You would need to change the following:
FROM: access-list SplitTunnelNets extended permit ip any 192.168.223.0 255.255.255.0
TO: access-list SplitTunnelNets standard permit 192.168.223.0 255.255.255.0

You should be able to reconnect again, and will be able to access the Internet after configuring the split tunnel with standard access-list.

Hope that helps.

Thanks Jennifer!  That did the trick!

I really appreciate your help!!!

hdashnau
Cisco Employee
Cisco Employee

Just for clarification, the access-list does not need to be a standard  access-list. You can use an extended access-list too.

The reason your  extended access-list wasn't working as you wanted was because it was defined in the wrong order. To use an extended access-list for split-tunneling  in VPN, you put the "internal" network (192.168.223.0) in the source position and the  vpn pool network (192.168.25.0 or any) in the desitination position. So this is what the extended acl would look like in your scenario:

access-list SplitTunnelNets extended permit ip 192.168.223.0 255.255.255.0 192.168.25.0 255.255.255.0

-heather

Please remember to rate all posts that helped you and mark the question as resolved if this addressed your question.

Excellent information!!!

This is...by far...the most helpful forum I'm a member of and it's because of responses like Heather's and Jennifer's!!!

Thanks again to both of you!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: