Hello Experts!

We have an ASA (8.25) configured for L2TP and the primary clients are OSX with native client. Clients are able to connect without issue and reach our main network (A), but are unable to reach a separate network (B) on the inside of the ASA. I've tried to enable tunnel all (which would suit us) but it still only encrypts for network A. I've also tried adding both network A and B for split tunneling but again only network A is being added to the encryption domain. Very strange.

Here is my sanitized config:

ASA Version 8.2(5)

!

hostname L2TP-VPN

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address

!

interface Ethernet0/1

nameif inside

security-level 100

ip address

!

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 171.184.6.52 255.255.255.252

access-list inside_nat0_outbound extended permit ip any 198.35.50.0 255.255.255.0

access-list GM_All extended permit ip any 198.35.50.0 255.255.255.0

access-list GM_All extended permit ip any 171.0.0.0 255.0.0.0

access-list GM-L2tp standard permit 198.35.50.0 255.255.255.0

access-list GM-L2tp standard permit 171.0.0.0 255.0.0.0

pager lines 24

logging enable

logging timestamp

logging list VPN level informational class vpn

logging monitor debugging

logging buffered debugging

logging trap debugging

logging asdm informational

logging device-id hostname

logging debug-trace

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool GM_Pool 171.184.6.1-171.184.6.19 mask 255.255.252.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 171.184.6.0 255.255.255.192

route outside 0.0.0.0 0.0.0.0 blah

route inside 171.0.0.0 255.0.0.0 171.184.4.1 1

route inside 198.35.50.0 255.255.255.0 198.35.50.1 1

route inside 198.168.25.0 255.255.255.0 171.184.4.143 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server IS&T protocol radius

aaa-server IS&T (inside) host 171.184.5.126

timeout 5

key *****

http server enable

no snmp-server location

no snmp-server contact

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

ssh timeout 60

console timeout 10

management-access inside

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 171.184.4.100

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-network-list value GM-L2tp

default-domain value blah.com

split-dns none

split-tunnel-all-dns enable

group-policy DfltGrpPolicy attributes

dns-server value 171.184.4.100

split-tunnel-policy tunnelspecified

split-tunnel-network-list value GM-L2tp

tunnel-group DefaultRAGroup general-attributes

address-pool GM_Pool

authentication-server-group IS&T

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

!

class-map inspection_default

match default-inspection-traffic

!

!

: end