Thank you for your reply. I´m sending the config bellow (I´ve cleared all info confidential such as IPs, passwords, timeout values, etc, but i think what you have bellow is enough to get a clear picture):

ASA Version 8.2(1)

!

hostname asa-xxxx

enable password xxxxxxxxx encrypted

passwd xxxxxxxxxx encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 197.X.XX.XX 255.255.255.248

!

interface GigabitEthernet0/1

nameif vpncorp

security-level 50

ip address 10.X.XX.XX 255.255.255.248

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

speed 100

duplex full

nameif mgmt

security-level 100

ip address 10.x.xx.xx 255.255.255.240

management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name zz.df.es

access-list Inside standard permit 10.1.0.0 255.255.0.0

access-list Inside standard permit 192.168.15.0 255.255.224.0

pager lines 24

logging enable

logging timestamp

logging buffer-size 14000

logging buffered debugging

logging asdm debugging

logging facility 21

logging host mgmt 10.xx.x.x

logging class auth trap informational

logging class config trap informational

logging class ha trap informational

logging class sys trap informational

logging class vpdn trap informational

logging class vpn trap informational

mtu outside 1500

mtu vpncorp 1500

mtu mgmt 1500

ip local pool VPN-01-pool 10.XX.XX.X-10.XX.XX.XX mask 255.255.252.0

ip local pool VPN-02-pool 10.xx.xx.x-10.xx.xx.xx mask 255.255.252.0

ip local pool VPN-USER-pool 192.168.xx.x-192.168.xx.xx mask 255.255.0.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

route outside 0.0.0.0 0.0.0.0 197.xx.xx.xx 1

route vpncorp 10.x.x.x 255.xx.xx.xx 10.xx.xx.xx 1

route vpncorp 10.xx.xx.xx 255.255.0.0 10.xx.xx.xx 1

route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1

route mgmt 10.xx.xx.xx 255.255.255.248 10.xx.xx.xx 1

route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1

route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1

route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1

route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1

dynamic-access-policy-record DfltAccessPolicy

aaa-server mgmtt protocol radius

aaa-server mgmtt (mgmt) host 10.xx.x.xx

timeout xxx

key xxxxxxxxxx

authentication-port xxx

accounting-port xxxx

aaa-server mgmtt (mgmt) host 10.xx.xx.xx

timeout xxx

key xxxxxx

authentication-port xxxx

accounting-port xxxx

aaa-server Users protocol radius

accounting-mode simultaneous

interim-accounting-update

aaa-server Users (mgmt) host 10.xx.xx.xx

key xxxxx

authentication-port xxxx

accounting-port xxxx

aaa-server Users-2 protocol radius

accounting-mode simultaneous

interim-accounting-update

aaa-server users-2 (mgmt) host 10.xx.xx.xxx

key xxxx

authentication-port xxx

accounting-port xxxx

aaa authentication ...

aaa authentication ...

aaa authentication ...

aaa authorization ...

aaa accounting ...

aaa accounting ...

aaa accounting ...

snmp-server ...

crypto ipsec transform-set ...

crypto ipsec transform-set ...

crypto ipsec transform-set ...

crypto ipsec transform-set ...

crypto ipsec transform-set ...

crypto ipsec transform-set ...

crypto ipsec security-association lifetime seconds xxx

crypto ipsec security-association lifetime kilobytes xxx

crypto dynamic-map vpn-ra-dyn_map 10 set ...

crypto map outside_map 100 ipsec-isakmp dynamic vpn-ra-dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy ...

authentication pre-share

encryption xxx

hash xxx

group x

lifetime xxx

crypto isakmp policy xxx

authentication pre-share

encryption xxx

hash xxx

group x

lifetime xxx

telnet timeout xxx

ssh 10.x.x.x 255.255.255.255 mgmt

ssh timeout x

ssh version x

console timeout x

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

vpn-idle-timeout 1

vpn-tunnel-protocol l2tp-ipsec

pfs disable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Inside

default-domain value xx.xx.es

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

vpn-idle-timeout 1

split-tunnel-policy tunnelspecified

username ...

username ...

username ...

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) Users

accounting-server-group users

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key xxxxx

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

tunnel-group asa type remote-access

tunnel-group asa general-attributes

address-pool VPN-user-pool

authentication-server-group (outside) test

accounting-server-group test

tunnel-group asa ipsec-attributes

pre-shared-key xxxx

tunnel-group asa ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group tstvpn type remote-access

tunnel-group tstvpn general-attributes

authentication-server-group (outside) users-2

accounting-server-group users-2

default-group-policy DefaultRAGroup

tunnel-group tstvpn ipsec-attributes

pre-shared-key xxxx

tunnel-group tstvpn ppp-attributes

no authentication chap

authentication ms-chap-v2

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum xxxx

policy-map global_policy

class inspection_default

  inspect xxxx

  inspect ...

  ...

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxxxxx

: end

Anyone?

Hi Zarahell,

please try to replace standard ACL by Extended ACLs

So

access-list Inside standard permit 10.1.0.0 255.255.0.0

access-list Inside standard permit 192.168.15.0 255.255.224.0

would become

access-list Inside extended permit 10.1.0.0 255.255.0.0  any

access-list Inside extended permit 192.168.15.0 255.255.224.0 any

And let us know if any improvements

Bastien Migette

I actually thought of that a couple of hours ago...but the configurations were made via GUI, so I´m assuming a standard ACL should work since it was set by the Cisco software itself.

I´ll try ASAP and get back to you.

Nope

It didn´t work; I've replaced the ACL for the extended one and still no results.

Any more ideas?

Using Cisco IPSEC client.

DefaultRAGroup_1 is a test policy. Don´t take it in regard.

well, i'm not sure this would be related to the issue, but can you try to change your default group-policy and add the ipsec in the vpn tunnel protocol like this;:

vpn-tunnel-protocol ipsec l2tp-ipsec

Also, in the info/statistics menu on the VPN client, there's a tab where you can see the route that are being secured. You may check this tab to see what routes are actually fetched from the VPN Client.

Bastien

No luck. I´ve added the line as you suggested but I still do not receive the specified routes in the ACL.

Any other suggestions?

Anyone?

Ok, so I got it to work with Cisco VPN Client (it was a matter of reconfiguration of the transform-set).

But it still does not work with native OS vpn clients (MAC, Windows, etc)...it authenticates and the tunnel is established, but the routes defined in the split tunneling are not propagated.

Is this a known issue? Does ASA require any specific configuration to make it compatible with other vpn clients than the cisco one?

Ok

So, new feedback...aparently split tunneling does not work over L2TP connections. It sends the routes over pure IPSEC tunnels.

Problem is, that most native vpn clients use L2TP. Anyone knows of a workaround for this? A setting from the server side (ASA) that can overcome this?

Finally found a way...just posting it here for someone who has the same problem.

There´s a way to workaround the issue of propagating routes over L2TP.

Just added the command to the policy group:

group-policy DefaultRAGroup attributes

intercept-dhcp 255.255.0.0 enable

It basically acts as an DHCP server engine, forcing the routes you have defined on the ACL to any authenticated user's routing table.

It's kind of a stupid workaround, because DHCP and Split Tunneling are 2 different engines, but for some reason they need to be set together: you still need the split-tunnel-policy tunnelspecified associated with the ACL for the intercept-dhcp to work for those networks.

I find it to be a very stupid solution, but it works with most Operating Systems (Snow Leopard, Lion, Windows XP and Windows 7)

However it does not work with Android, MAC OS bellow Snow Leopard (like Leopard), and WIN OS bellow XP. Basically it depends on the DHCP engine the OS is running. Still, it works with the most common operating systems, so for me this post is answered.

Summing up, basically my group-policy is set as follows:

group-policy DefaultRAGroup attributes

vpn-idle-timeout 1

vpn-tunnel-protocol l2tp-ipsec

pfs disable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Inside

intercept-dhcp 255.255.0.0 enable

Hope this helps to anyone with the same problem.

Best regards