12-21-2011 05:16 AM - edited 02-21-2020 05:47 PM
Hello
I have difficulties with configuring Remote IPSec VPN with Cisco ASA 5505 and Windows 7 native VPN client. My client PC gets VPN pool IP address, and can access remote network behind ASA, but then I lose my internet connectivity. I have read that this should be an issue with split tunneling, but I did as it is told here and no luck.
On Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have internet connectivity (since client is using local gateway), but then, I cannot ping remote network.
In log, I see this warnings of this type:
Teardown TCP connection 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0:00:00 bytes 0 Flow is a loopback (cisco)
I have attached my configuration file (without split-tunneling configuration I tried). If you need additional logs I'll send them right away.
Thank you for your help.
Petar Koraca
Solved! Go to Solution.
12-21-2011 07:08 AM
This is what you would had need on versions 8.3 and earlier:
same-security-traffic permit intra-interface
global (outside) 1 interface
nat (outside) 1 192.168.150.0 255.255.255.0
However I see that you are running 8.4 so I think all you need is this(I've never done it on 8.4 so it might not be accurate)
same-security-traffic permit intra-interface
object network NETWORK_OBJ_192.168.150.0_24
nat (outside,outside) dynamic interface
Give it a shot and let me know how it goes.
12-21-2011 05:42 AM
Petar,
I'm not entirely sure that Split tunneling works with the Windows Native Client (called L2TP over IPSec Client), if I'm not mistaken that's a limitation of the client.
But you might want to give it a try. Here's what you would need:
access-list split_tun standard permit 192.168.1.0 255.255.255.0
group-policy DefaultRAGroup attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tun
If that still doesnt work then you migth want to either switch to the Cisco VPN client which does allow you to enable split tunneling or try to NAT the traffic for the Windows client thru your ASA (that will use your ASA's Internet connection provide the client with Internet access btw).
Give it a try and let us know how it goes.
Thanks
Raga
12-21-2011 06:21 AM
Luis, thank you for your answer. Unfortunatly it seems that, like you said, split tunneling doesn't work with native client.
Are you familiar with the other solution, which would redirect all non-local trafic to gateway?
Thank you.
Petar Koraca
12-21-2011 07:08 AM
This is what you would had need on versions 8.3 and earlier:
same-security-traffic permit intra-interface
global (outside) 1 interface
nat (outside) 1 192.168.150.0 255.255.255.0
However I see that you are running 8.4 so I think all you need is this(I've never done it on 8.4 so it might not be accurate)
same-security-traffic permit intra-interface
object network NETWORK_OBJ_192.168.150.0_24
nat (outside,outside) dynamic interface
Give it a shot and let me know how it goes.
12-21-2011 08:25 AM
It seems to be ok
I'll still test it tomorrow a little bit, and then proceed with LDAP/RADIUS integration.
Luis, thank you very much!
Petar Koraca
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide