Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
0
Helpful
0
Replies

Split Tunnel not working

sahara101
Level 1
Level 1

‎07-05-2021 07:05 AM

Hello, 

 

I cannot make an anyconnect tunnel with working split tunneling. VPN connects just fine and receives an IP from the IP POOL. 

Interface 10.1.123.1 is on another firewall, test machine is 10.1.123.67. Pring from ASA directly is working.

Another network is working OK, 10.21.0.0

 

I can  show snippets of the config, working and not working:

 

Working:

 

ip local pool IPPOOL-xx 10.21.0.1-10.21.0.254 mask 255.255.255.0

 

interface GigabitEthernet0/1.100
description xx
vlan 100
nameif inside100
security-level 100
ip address 10.10.0.5 255.255.255.0

 

object network xx
subnet 10.21.0.0 255.255.255.0

 

access-list Split-xx standard permit 10.0.0.0 255.255.255.0
access-list Split-xx standard permit 10.10.0.0 255.255.255.0

access-list inside100_access_in extended permit ip any any

 

nat (inside100,outside) source static inside100 inside100 destination static xx xxno-proxy-arp

 

object network inside100
nat (any,outside) dynamic interface

 

access-group inside100_access_in in interface inside100

 

crypto map inside100_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside100_map interface inside100

 

anyconnect profiles xxdisk0:/xx.xml

 

group-policy gpolicy-xx internal
group-policy gpolicy-xx attributes
wins-server none
dns-server value 10.10.0.21
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 ssl-client
group-lock value xx
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-xx
default-domain value xx.com
split-tunnel-all-dns enable
webvpn
anyconnect profiles value xxtype user

 

tunnel-group xx type remote-access
tunnel-group xxgeneral-attributes
address-pool IPPOOL-xx
authentication-server-group AAA-xx
default-group-policy gpolicy-xx
tunnel-group xx webvpn-attributes
group-url https://xx/xxenable
group-url https://xx.xx.com/xx enable
tunnel-group xx ipsec-attributes
ikev1 pre-shared-key *****

 

Not working:

ip local pool IPPOOL-yy 10.243.2.10-10.243.2.254 mask 255.255.255.0

 

interface GigabitEthernet0/1.172
description yy
vlan 172
nameif inside172
security-level 100
ip address 10.1.123.2 255.255.255.0

 

object network inside172
subnet 10.1.123.0 255.255.255.0

 

object network 10.1.123.0
subnet 10.1.123.0 255.255.255.0

 

access-list Split-yy standard permit 10.1.123.0 255.255.255.0

access-list inside172_access_in extended permit ip any any

 

nat (inside172,outside) source static inside172 inside172 destination static 10.243.2.0 10.243.2.0 no-proxy-arp

 

access-group inside172_access_in in interface inside172

 

crypto map inside172_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside172_map interface inside172

 

object network inside172
nat (any,outside) dynamic interface

 

group-policy yy internal
group-policy yy attributes
wins-server none
dns-server value 4.2.2.2
vpn-tunnel-protocol ikev1 ikev2 ssl-client
group-lock value yy
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-yy
default-domain value yy

 

tunnel-group yy type remote-access
tunnel-group yy general-attributes
address-pool IPPOOL-yy
default-group-policy yy
tunnel-group yy webvpn-attributes
group-url https://yy.yy.com/yy enable

 

What am I missing? Can you please help?

 

Thank you!

 

 

 

 

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents