Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3648
Views
0
Helpful
3
Replies

Split Tunneling and Windows VPN Client

fgasimzade
Level 4
Level 4

‎02-08-2011 01:37 PM

Good evening, gents!

Is it possible to configure split tunneling for default Windows VPN Client and ASA 8.0? Everything works fine with Cisco VPN Client

Labels:
0 Helpful
3 Replies 3

vickyleach1
Level 1
Level 1

‎02-08-2011 02:49 PM

By "Default Windows Client" do you mean using the adapter for the VPN (L2TP)?

0 Helpful

Yudong Wu
Level 7
Level 7

‎02-08-2011 02:52 PM

I did not test this. But here is what I found.

Here is how split tunneling works on Windows VPN Client. It will use "classless static routes" for split-tunneling.

http://technet.microsoft.com/en-us/library/bb878117.aspx

On ASA, there is a command "intercept-dhcp enable" under group-policy. based on the command reference, it says

"DHCP Intercept lets Microsoft XP clients use  split-tunneling with the security appliance. The security appliance  replies directly to the Microsoft Windows XP client DHCP Inform message,  providing that client with the subnet mask, domain name, and classless  static routes for the tunnel IP address."

So, if ASA could send "classless  static routes for the tunnel IP address" via DHCP option to client, the split-tunnel might work here.

Again, this is just my thought. I do not test it.

0 Helpful

vickyleach1
Level 1
Level 1
In response to Yudong Wu

‎02-09-2011 06:28 AM

I looked at the link real quick , this is not quite what I have doen with my L2TP client configs, though not saying its a bad way, just not something I have tried. The way I would set it up (which is simular) is to route internet traffic back through the coporate ASA on the distant end. I did have a ton of issues when I first set this up and was troubleshooting but the below is a working config now so see if the following config helps you out:

Version 8.3(2)

hostname CiscoASA
domain-name domain.local
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.77.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.58 255.255.255.128


boot system disk0:/asa832-k8.bin


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
subnet 0.0.0.0 0.0.0.0

object network obj-vpnPool
subnet 192.168.101.0 255.255.255.0

object network obj-InsideLAN
subnet 192.168.77.0 255.255.255.0

object network L2TP_any
subnet 192.168.101.0 255.255.255.0

object network obj-OutsideIP
host X.X.X.58

object network obj-192.168.77.0
subnet 192.168.77.0 255.255.255.0

access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list outside_in extended permit ip 192.168.77.0 255.255.255.0 192.168.101.0 255.255.255.0

ip local pool vpnpool 192.168.101.50-192.168.101.100

nat (inside,outside) source static obj-InsideLAN obj-InsideLAN destination static obj-vpnPool obj-vpnPool

object network obj_any
nat (inside,outside) dynamic interface

object network L2TP_any
nat (outside,outside) dynamic interface

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.X.59 1


aaa-server TACACS+ protocol tacacs+
aaa-server RA_SERVER_GROUP protocol radius
aaa-server LDAP_SERV_GROUP protocol ldap
aaa-server LDAP_SERV_GROUP (inside) host 192.168.77.10
ldap-base-dn dc=domain, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Administrator, cn=Users, dc=domain, dc=local
server-type microsoft

aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set L2TP_set esp-3des esp-sha-hmac
crypto ipsec transform-set L2TP_set mode transport


crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set transform-set L2TP_set ESP-3DES-MD5

crypto map Outside-Map 65534 ipsec-isakmp dynamic dynmap
crypto map Outside-Map interface outside


crypto isakmp enable outside


crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto isakmp policy 15
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp nat-traversal 10

no vpn-addr-assign aaa
no vpn-addr-assign dhcp

management-access inside

l2tp tunnel hello 100

group-policy L2TP-policy internal
group-policy L2TP-policy attributes
dns-server value 192.168.77.10 8.8.8.8
vpn-simultaneous-logins 100000
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value domain.local


tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
authentication-server-group LDAP_SERV_GROUP
default-group-policy L2TP-policy

tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1

The "No" statements are important as they over-ride the default config which you can see if you do a "more system: run". Also, if you can please post back your config so I can see what you have got so far.

0 Helpful
Customers Also Viewed These Support Documents