Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3418
Views
0
Helpful
5
Replies

Cisco ASA 5510 - Remote VPN Split Tunnel Problem

Vikrant Ambhore
Level 1
Level 1

‎12-14-2010 11:30 PM

Hello Friends,

We have just installed a ASA 5510 and setup remote VPN with Split Tunnelling. I can see that the split tunnels are getting to the VPN Client as they are all populated in the “Route Details” however I’m unable to ping with other subnet other than 192.168.1.0/24

When not using the VPN and directly on the 192.168.1.0/24 subnet I can ping the other subnets fine. Just not on Remote VPN

Config as below

tunnel-group cisco_vpn_group type remote-access
tunnel-group cisco_vpn_group general-attributes
address-pool Remote_VPN_DHCP
authentication-server-group DC
default-group-policy cisco_vpn_group
tunnel-group cisco_vpn_group ipsec-attributes
pre-shared-key ***********
group-policy cisco_vpn_group internal
group-policy cisco_vpn_group attributes
dns-server value 192.168.1.x 192.168.1.x
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tunnel_Split
default-domain value ****
address-pools none
ipv6-address-pools none
ip local pool Remote_VPN_DHCP 192.168.1.230-192.168.1.250 mask 255.255.255.0
access-list Tunnel_Split standard permit 192.168.1.0 255.255.255.0
access-list Tunnel_Split standard permit 192.168.2.0 255.255.255.0
access-list Tunnel_Split standard permit 192.168.3.0 255.255.255.0
access-list Tunnel_Split standard permit 192.168.6.0 255.255.255.0
access-list Tunnel_Split standard permit 192.168.4.0 255.255.255.0
access-list Tunnel_Split standard permit 192.168.5.0 255.255.255.0
access-list Tunnel_Split standard permit 10.0.0.0 255.255.255.0

Regards

Vicky

Labels:
0 Helpful
5 Replies 5

Herbert Baerten
Cisco Employee
Cisco Employee

‎12-15-2010 03:20 AM

Hi Vicky,

the vpn config looks ok, this rather sounds like a NAT or routing issue.

Is this ASA doing NAT for those internal networks? If so, is it doing NAT exemption for the VPN traffic?

As for routing, does the ASA have a route to the internal networks? Do the internal networks have a route to the vpn pool and is this route going to the ASA?

hth

Herbert

0 Helpful

Mohamed Sobair
Level 7
Level 7

‎12-15-2010 05:55 AM

Hi,

You need to make sure of two things:

1- The ASA can reach all of the subnets specified in Network list Group-policy.

2- Nat exemption should be configured for all these subnets back to the VPN client subnet , if the ASA has Nat configured for those subnets.

Regards,

Mohamed

0 Helpful

Vikrant Ambhore
Level 1
Level 1
In response to Mohamed Sobair

‎12-15-2010 06:27 AM

Not the best situation using same IP's as the internal subnet. We will be changing this but just not at present.

The NAT below is used for our L2L VPN Tunnel and is working fine.


NAT Addresses

1 (LAN) to (WAN) source static 192.168.1.0 192.168.1.0 destination static 192.168.2.0 192.168.2.0

2 (LAN) to (WAN) source static 192.168.1.0 192.168.1.0 destination static 192.168.6.0 192.168.6.0

3 (LAN) to (WAN) source static 192.168.1.0 192.168.1.0 destination static 192.168.5.0 192.168.5.0

4 (LAN) to (WAN) source static 192.168.1.0 192.168.1.0 destination static 192.168.4.0 192.168.4.0

5 (DMZ) to (WAN) source static 10.0.0.0 10.0.0.0 destination static 192.168.2.0 192.168.2.0

6 (DMZ) to (WAN) source static 10.0.0.0 10.0.0.0 destination static 192.168.4.0 192.168.4.0

7 (DMZ) to (WAN) source static 10.0.0.0 10.0.0.0 destination static 192.168.6.0 192.168.6.0

8 (DMZ) to (WAN) source static 10.0.0.0 10.0.0.0 destination static 192.168.5.0 192.168.5.0

9 (LAN) to (WAN) source static 192.168.1.0 192.168.1.0 destination static 192.168.3.0 192.168.3.0

10 (DMZ) to (WAN) source static 10.0.0.0 10.0.0.0 destination static 192.168.3.0 192.168.3.0

11 (LAN) to (WAN) source static any any destination static 192.168.1.0 192.168.1.0

Route Config

route WAN 0.0.0.0 0.0.0.0 66.219.50.193 1

0 Helpful

Mohamed Sobair
Level 7
Level 7
In response to Vikrant Ambhore

‎12-15-2010 06:45 AM

So you dont have any dynamic NAT, its all Static then. This propblem is not caused by your NAT config bellow if its the case.

Confirm that the ASA can reach all of the following subnets:

192.168.2.0

192.168.3.0

192.168.4.0

192.168.5.0

10.0.0.0

Also confirm thers is no dynamic NAT else configured on the firewall other than the static bellow.

Regards,

Mohamed

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to Vikrant Ambhore

‎12-15-2010 03:20 PM

Do I understand correctly that 192.168.2.0  (and also 3,4,5,6) are not on the inside (LAN) interface but on the outside (WAN) (presumably behind a L2L tunnel)?

In that case you will need a (WAN, WAN) nat rule between 192.168.1.0 and each of these remote networks.

so for each

(LAN) to (WAN) source static 192.168.1.0 192.168.1.0 destination static 192.168.X.0 192.168.X.0

you will have to add

(WAN) to (WAN) source static 192.168.1.0 192.168.1.0 destination static 192.168.X.0 192.168.X.0

(or change the LAN to any)

In addition, you need to configure this:

same-security-traffic permit intra-interface

hth

Herbert

0 Helpful
Customers Also Viewed These Support Documents