Hi

We have the following scenario:

• Office (192.168.2.x)
• Data Centre (212.64.x.x)
• Home workers (192.168.2.x) (DHCP scope is within office subnet)

Connections:

• Office  to Data Centre traffic is routed through a Site to Site IPSec VPN, which is working fine.
• Home to Office is routed through a Client to Site IPSec VPN.

The issue we currently have, is the Client VPN works, and we've set up a split tunnel which just includes the Office subnet for the network list.

What I need to do, is route any traffic from 'Home' to 'Data Centre' through the Site to Site VPN which is setup.

I tried adding the data centre IP ranges to the Client VPN Split tunnel list, but when I do this, and try to connect from home, I just get a 'connection timed out' or refused, as if it's been firewalled?

Could you please let me know what I've missed?

Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(5) 
!
hostname ciscoasa
domain-name skiddle.internal
enable password xxx encrypted
passwd xxx encrypted
names
name 188.39.51.101 dev.skiddle.com description Dev External
name 192.168.2.201 dev.skiddle.internal description Internal Dev server
name 164.177.128.202 www-1.skiddle.com description Skiddle web server
name 192.168.2.200 Newserver
name 217.150.106.82 Holly
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.3.250 255.255.255.0 
!
!
time-range Workingtime
 periodic weekdays 9:00 to 18:00
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server Newserver
 domain-name skiddle.internal
same-security-traffic permit inter-interface
object-group service Mysql tcp
 port-object eq 3306
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network rackspace-public-ips
 description Rackspace Public IPs
 network-object 164.177.132.16 255.255.255.252
 network-object 164.177.132.72 255.255.255.252
 network-object 212.64.147.184 255.255.255.248
 network-object 164.177.128.200 255.255.255.252
object-group network Cuervo
 description Test access for cuervo
 network-object host Holly
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
access-list inside_access_in extended permit ip any any 
access-list outside_access_in remark ENABLES Watermark Wifi ACCESS TO DEV SERVER!
access-list outside_access_in extended permit tcp 188.39.51.0 255.255.255.0 interface outside object-group DM_INLINE_TCP_4 time-range Workingtime 
access-list outside_access_in remark ENABLES OUTSDIE ACCESS TO DEV SERVER!
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_3 
access-list outside_access_in remark Public Skiddle Network > Dev server
access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 interface outside eq www 
access-list outside_access_in extended permit tcp object-group rackspace-public-ips interface outside eq ssh 
access-list outside_access_in remark OUTSIDE ACCESS TO DEV SERVER
access-list outside_access_in extended permit tcp object-group Cuervo interface outside object-group DM_INLINE_TCP_1 inactive 
access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 host dev.skiddle.internal object-group DM_INLINE_TCP_2 inactive 
access-list inside_access_in_1 remark HTTP OUT
access-list inside_access_in_1 extended permit tcp any any eq www 
access-list inside_access_in_1 remark HTTPS OUT
access-list inside_access_in_1 extended permit tcp any any eq https 
access-list inside_access_in_1 remark SSH OUT
access-list inside_access_in_1 extended permit tcp any any eq ssh 
access-list inside_access_in_1 remark MYSQL OUT
access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 object-group Mysql 
access-list inside_access_in_1 remark SPHINX OUT
access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 eq 3312 
access-list inside_access_in_1 remark DNS OUT
access-list inside_access_in_1 extended permit object-group TCPUDP host Newserver any eq domain 
access-list inside_access_in_1 remark PING OUT
access-list inside_access_in_1 extended permit icmp any any 
access-list inside_access_in_1 remark Draytek Admin
access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 4433 
access-list inside_access_in_1 remark Phone System
access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 35300 log disable 
access-list inside_access_in_1 remark IPSEC VPN OUT
access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq 4500 
access-list inside_access_in_1 remark IPSEC VPN OUT
access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq isakmp 
access-list inside_access_in_1 remark Office to Rackspace OUT
access-list inside_access_in_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips 
access-list inside_access_in_1 remark IMAP OUT
access-list inside_access_in_1 extended permit tcp any any eq imap4 
access-list inside_access_in_1 remark FTP OUT
access-list inside_access_in_1 extended permit tcp any any eq ftp 
access-list inside_access_in_1 remark FTP DATA out
access-list inside_access_in_1 extended permit tcp any any eq ftp-data 
access-list inside_access_in_1 remark SMTP Out
access-list inside_access_in_1 extended permit tcp any any eq smtp 
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips 
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips 
access-list inside_nat0_outbound extended permit ip any 192.168.2.128 255.255.255.224 
access-list inside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips 
access-list outside_1_cryptomap_1 extended permit tcp 192.168.2.0 255.255.255.0 object-group rackspace-public-ips eq ssh 
access-list RACKSPACE-cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips 
access-list RACKSPACE-TEST extended permit ip host 94.236.41.227 any 
access-list RACKSPACE-TEST extended permit ip any host 94.236.41.227 
access-list InternalForClientVPNSplitTunnel remark Inside for VPN
access-list InternalForClientVPNSplitTunnel standard permit 192.168.2.0 255.255.255.0 
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.128.200 255.255.255.252 
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.16 255.255.255.252 
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.72 255.255.255.252 
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 212.64.147.184 255.255.255.248 
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm warnings
logging from-address ben@skiddle.com
logging recipient-address ben@skiddle.com level errors
mtu inside 1500
mtu outside 1500
ip local pool CiscoVPNDHCPPool 192.168.2.130-192.168.2.149 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ipv6 access-list inside_access_ipv6_in permit tcp any any eq www 
ipv6 access-list inside_access_ipv6_in permit tcp any any eq https 
ipv6 access-list inside_access_ipv6_in permit tcp any any eq ssh 
ipv6 access-list inside_access_ipv6_in permit icmp6 any any 
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www dev.skiddle.internal www netmask 255.255.255.255 
static (inside,outside) tcp interface ssh dev.skiddle.internal ssh netmask 255.255.255.255 
access-group inside_access_in in interface inside control-plane
access-group inside_access_in_1 in interface inside
access-group inside_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.254 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL 
aaa authentication enable console LOCAL 
http server enable 4433
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto map outside_map 1 match address RACKSPACE-cryptomap_1
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 94.236.41.227 
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca xxx
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcprelay server 192.68.2.200 inside
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 194.35.252.7 source outside prefer
webvpn
 port 444
 svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1 regex "Intel Mac OS X"
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
group-policy skiddlevpn internal
group-policy skiddlevpn attributes
 dns-server value 192.168.2.200
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value InternalForClientVPNSplitTunnel
 default-domain value skiddle.internal
username bensebborn password *** encrypted privilege 0
username bensebborn attributes
 vpn-group-policy skiddlevpn
username benseb password gXdOhaMts7w/KavS encrypted privilege 15
tunnel-group 94.236.41.227 type ipsec-l2l
tunnel-group 94.236.41.227 ipsec-attributes
 pre-shared-key *****
tunnel-group skiddlevpn type remote-access
tunnel-group skiddlevpn general-attributes
 address-pool CiscoVPNDHCPPool
 default-group-policy skiddlevpn
tunnel-group skiddlevpn ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
policy-map global-policy
 class inspection_default
  inspect icmp 
  inspect icmp error 
  inspect ipsec-pass-thru 
  inspect ftp 
!
service-policy global_policy global
smtp-server 164.177.128.203
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:6c2eb43fa1150f9a5bb178c716d8fe2b
: end