- Cisco Community
- Technology and Support
- Security
- VPN
- spilt tunnel problem
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
spilt tunnel problem
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2013 04:17 AM
Hello, everybody. I have issue about spilt tunnel of ezvpn client. My customer's branch site is connected to ASA 5510 with a router that is configured as a hardware client, the mode is network extension. The branch site have 2 networks, 142.10.64.0/24 is the local lan and 192.168.1.0/24 is the server and is configured spilt tunnel to let client to visit. when the remote users login with the client software, the client software have received two spilt tunnels. when I ping from the client to any network of the branch site, it can be done. But I can't use as the source of the server network in branch site ping the client. The local lan can. I wanna know that does only one tunnel active in the client? Here is my ASA configuration:
WB-VPNSer-5510# sh run
: Saved
:
ASA Version 8.4(1)
!
hostname WB-VPNSer-5510
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 222.216.28.135 255.255.255.128
!
interface Ethernet0/1
shutdown
nameif inside
security-level 100
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
service-object esp
service-object udp destination eq isakmp
access-list internet extended permit object-group DM_INLINE_SERVICE_1 any any
access-list internet extended permit ip any any
access-list ezvpn_splitTunnelAcl standard permit 142.10.64.0 255.255.255.0
access-list ezvpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list ezvpn_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list remote_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool client 172.16.1.100-172.16.1.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
access-group internet global
route outside 0.0.0.0 0.0.0.0 222.216.28.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set remote esp-3des esp-md5-hmac
crypto dynamic-map remote 1 set ikev1 transform-set remote
crypto dynamic-map remote 1 set reverse-route
crypto map remote 1 ipsec-isakmp dynamic remote
crypto map remote interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1
webvpn
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.230
split-tunnel-policy tunnelspecified
group-policy remote internal
group-policy remote attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote_splitTunnelAcl
nem enable
group-policy ezvpn internal
group-policy ezvpn attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn_splitTunnelAcl
username admin password lxHIQV3npwOuCcNf encrypted privilege 15
username wbzy_test001 password FW08MdHWVfpdRSQU encrypted
username wbzy_test001 attributes
service-type remote-access
username cisco password ffIRPGpDSOJh9YLq encrypted
username cisco attributes
service-type remote-access
tunnel-group remote type remote-access
tunnel-group remote general-attributes
authentication-server-group (outside) LOCAL
default-group-policy remote
tunnel-group remote ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group ezvpn type remote-access
tunnel-group ezvpn general-attributes
address-pool client
authentication-server-group (outside) LOCAL
default-group-policy ezvpn
tunnel-group ezvpn ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:df94a153b5f856c07a09255ef947fc9d
: end
and here is the ipsec sa in asa:
WB-VPNSer-5510# sh crypto ipsec sa
interface: outside
Crypto map tag: remote, seq num: 1, local addr: 222.216.28.135
local ident (addr/mask/prot/port): (142.10.64.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.100/255.255.255.255/0/0)
current_peer: 121.31.246.33, username: cisco
dynamic allocated peer ip: 172.16.1.100
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 222.216.28.135/4500, remote crypto endpt.: 121.31.246.33/13965
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 04F34E76
current inbound spi : 19577A26
inbound esp sas:
spi: 0x19577A26 (425163302)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 20480, crypto-map: remote
sa timing: remaining key lifetime (sec): 3593
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x04F34E76 (83054198)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 20480, crypto-map: remote
sa timing: remaining key lifetime (sec): 3593
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: remote, seq num: 1, local addr: 222.216.28.135
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.100/255.255.255.255/0/0)
current_peer: 121.31.246.33, username: cisco
dynamic allocated peer ip: 172.16.1.100
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 222.216.28.135/4500, remote crypto endpt.: 121.31.246.33/13965
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 0326A0D8
current inbound spi : 08C3450E
inbound esp sas:
spi: 0x08C3450E (147014926)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 20480, crypto-map: remote
sa timing: remaining key lifetime (sec): 3593
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0x0326A0D8 (52863192)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 20480, crypto-map: remote
sa timing: remaining key lifetime (sec): 3593
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: remote, seq num: 1, local addr: 222.216.28.135
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (142.100.66.254/255.255.255.255/0/0)
current_peer: 222.216.165.196, username: cisco
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 222.216.28.135/4500, remote crypto endpt.: 222.216.165.196/18337
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: BBEAB755
current inbound spi : 2C11BB75
inbound esp sas:
spi: 0x2C11BB75 (739359605)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: remote
sa timing: remaining key lifetime (sec): 28605
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xBBEAB755 (3152721749)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: remote
sa timing: remaining key lifetime (sec): 28605
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: remote, seq num: 1, local addr: 222.216.28.135
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (142.10.64.0/255.255.255.0/0/0)
current_peer: 222.216.165.196, username: cisco
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 222.216.28.135/4500, remote crypto endpt.: 222.216.165.196/18337
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: B8CCEDAC
current inbound spi : 216E0166
inbound esp sas:
spi: 0x216E0166 (560857446)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: remote
sa timing: remaining key lifetime (sec): 28603
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000007FF
outbound esp sas:
spi: 0xB8CCEDAC (3100437932)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: remote
sa timing: remaining key lifetime (sec): 28603
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: remote, seq num: 1, local addr: 222.216.28.135
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 222.216.165.196, username: cisco
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 222.216.28.135/4500, remote crypto endpt.: 222.216.165.196/18337
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 06769CF1
current inbound spi : 78E0C604
inbound esp sas:
spi: 0x78E0C604 (2027996676)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: remote
sa timing: remaining key lifetime (sec): 28602
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x06769CF1 (108436721)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: remote
sa timing: remaining key lifetime (sec): 28601
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
- Labels:
-
Remote Access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2013 12:44 PM
How are those subnets set up at your customer site? Where do they terminate? Can you provide a diagram of what it looks like?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide