cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16411
Views
15
Helpful
10
Replies

Split-tunnel with "exclude..." keyword

hanwucisco
Level 1
Level 1

Client(remote site)=====Internet cloud=====ASA(HQ)

Objective, Clinet visit some website(being blocked on the Remote FW ) on the internet through HQ ASA, all the other web sites through the

remote directly.

what I want is to split the tunnel. and I prefer to use "excluding" an ACL.I configured it from the ASDM. it seems like it does not work. all the traffic are still being tunneled to the ASA and not split.

By the way, do I have to check "Allow Local LAN Access" on Transport tab on the client side?

group-policy newgroup attributes

dns-server value X.X.X.X

vpn-tunnel-protocol IPSec

split-tunnel-policy excludespecified

split-tunnel-network-list value ExcludedIP

split-dns none

!!!!some of the entries in the ACL list

...

access-list ExcludedIP standard permit 48.14.0.0 255.254.0.0

access-list ExcludedIP standard permit 48.16.0.0 255.255.0.0

....

When the user client trace the 48.14.0.0.0 network, it went to the ASA first...

Any idea?

thanks

Han

1 Accepted Solution

Accepted Solutions

Hi Han,

I am sorry for any delay.

I have duplicated this and this is what you should expect:

tunnel-group RA type remote-access

tunnel-group RA general-attributes

address-pool VPN_POOL

default-group-policy RA

tunnel-group RA ipsec-attributes

ikev1 pre-shared-key *****

!

group-policy RA internal

group-policy RA attributes

vpn-tunnel-protocol ikev1

split-tunnel-policy excludespecified

split-tunnel-network-list value RA_EXCLUDE

!

access-list RA_EXCLUDE standard permit host 4.2.2.2

access-list RA_EXCLUDE standard permit host 0.0.0.0

access-list RA_EXCLUDE standard permit 10.198.12.0 255.255.255.0

access-list RA_EXCLUDE standard permit 10.198.16.0 255.255.255.0

Now I tested with the latest VPN client available on CCO running on a Windows 7 machine x86.

You should not experience any issues.

As agreed before, please test from a different machine and let me know.

Thanks.

Portu.

Please rate any helpful posts

View solution in original post

10 Replies 10

Hi Han,

Do you see those networks in the "Local LAN Routes" box?

VPN Client --> Status --> Statistics --> Route details

How do you know that it goes to the ASA? Have you run a capture on the LAN adapter and VPN adapter to confirm this?

Thanks.

Portu.

Please rate any helpful posts

Hi, Javier,

as for you quesitons,

How do you know that it goes to the ASA? Have you run a capture on the LAN adapter and VPN adapter to confirm this?

A: I ran tracert from the client and it goes to the ASA.

Do you see those networks in the "Local LAN Routes" box?

A: Yes, there is nothing under "The Local LAN routes"  and there is 0.0.0.0 "under secured routes"

and when I checked "allow local lan".  I can see the list in on the "Local Lan routes".  But my client cannot login, if the client is checked with "allow local lan".

 

thanks,

Han

Han,

It is interesting indeed.

Are you running the latest client version?

Does this happen to other machines?

Assuming that you are connecting to the correct group and getting the right group-policy it should be working fine.

Portu.

Javier, i just added more info on the last post, please take a look.

thanks,

Han

How do you know a flow of packets are through the ASA or not?

thanks,

Han

Han,

Could you please follow this link and make sure just test it as it is, then you could adjust your settings:

PIX/ASA 7.x: Allow Local LAN Access for Cisco VPN Client / SVC Configuration Example

I do not have an ASA handy, but I could give it a try in the morning (I am in MST).

Thanks.

Portu.

sure, thansk, by the way, i think the problem is on the client side, everytime i check the "allow the local lan", it cannot log in to the vpn...

i see it never went into ipsec phase.

May it is the individual problem. but what can it be?

Hi Han,

I am sorry for any delay.

I have duplicated this and this is what you should expect:

tunnel-group RA type remote-access

tunnel-group RA general-attributes

address-pool VPN_POOL

default-group-policy RA

tunnel-group RA ipsec-attributes

ikev1 pre-shared-key *****

!

group-policy RA internal

group-policy RA attributes

vpn-tunnel-protocol ikev1

split-tunnel-policy excludespecified

split-tunnel-network-list value RA_EXCLUDE

!

access-list RA_EXCLUDE standard permit host 4.2.2.2

access-list RA_EXCLUDE standard permit host 0.0.0.0

access-list RA_EXCLUDE standard permit 10.198.12.0 255.255.255.0

access-list RA_EXCLUDE standard permit 10.198.16.0 255.255.255.0

Now I tested with the latest VPN client available on CCO running on a Windows 7 machine x86.

You should not experience any issues.

As agreed before, please test from a different machine and let me know.

Thanks.

Portu.

Please rate any helpful posts

Portu,

You are right, I changed to a different PC, it worked well. The first PC's client is having some issue I don't know. And it is not a big concern of ours.

Thanks for the help.

Han

Great news!! I am glad to hear that

Thanks for couting on us!

Hope you have a great time.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: