Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4732
Views
5
Helpful
11
Replies

Split Tunneling on ASA 5505 not working

netadmin
Level 1
Level 1

‎03-30-2012 02:26 PM

I am currently trying to configure an Easy VPN connection from an ASA 5505 to and ASA 5520.  I have enabled split tunnelling and in the group policy defined the network to be tunneled but when I activate the VPN it tunnels everything from the host computer connected to the ASA 5505.  I get no internet access.  Have been trying to troubleshoot this for days.  Any ideas out there?

Hee are some specifics, running version 8.2(5) on the 5505 and the 5520 and below is the local config on the 5505 for the Easy VPN:

vpnclient server **.***.***.**

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup dbernstein-5505 password *****

vpnclient username dbernstein password *****

vpnclient ipsec-over-tcp port 10000

vpnclient enable

and the downloaded dynamic policy:

Current Server                                 : 12.***.163.**

Primary DNS                                  : ***.160.***.39

Default Domain                               : cisco.com

PFS Enabled                                  : No

Secure Unit Authentication Enabled  : No

User Authentication Enabled            : No

Split Tunnel Networks                      : ***.160.***.0/255.255.255.0

Backup Servers                               : None

1 person had this problem
Labels:
0 Helpful
11 Replies 11

Mohamed Sobair
Level 7
Level 7

‎03-30-2012 02:51 PM

You need to enable (Spilit-tunnel Tunnel-Specified).

and define the Spilit Tunnel Value (Spilit-Tunnel-Value ((ACL Name)

Then, you will have to create an ACL specifying the Traffic to Be tunneled . The Above should Only ALLOW the Sataements created by your ACL for Spilit Tunneling.

Look at the exact command in the Group-Policy.

Regards,

Mohamed

0 Helpful

netadmin
Level 1
Level 1
In response to Mohamed Sobair

‎04-02-2012 12:21 PM

I was under the impression that when using the Easy VPN client all you need to configure for spilt tunneling was on the server side and the client recieved the Tunnel list from that group policy?  I have another 5505 that is configured without a specified tunnel list on the client and it is working.  I have the st-autoconnect enabled, wouldn't that be enough to engage the split tunneling?

0 Helpful

mvsheik123
Level 7
Level 7
In response to netadmin

‎04-02-2012 07:11 PM

Hello Netadmin,

You are correct. With Easy VPN, server pushed the policy to client. Do you have proper nat & global commands on the client ASA? (as these are required).

Hth

MS

0 Helpful

netadmin
Level 1
Level 1
In response to mvsheik123

‎04-04-2012 09:43 AM

Her are my NAT and global commands, they are the same as my other ASA's, not sure what the heck is going on:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (work) 1 0.0.0.0 0.0.0.0

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to netadmin

‎04-04-2012 10:10 AM

Hello,

You need to configure the split tunnel policy on the server side so when you connect to the main office ASA ( VPN centralized end) all the traffic from your network being encrypted will be the one going to their subnet but your internet traffic will go normal to the outside world without being encrypted.

So the configuration on the SOHO device is okay, the problem is on the server side.

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

netadmin
Level 1
Level 1
In response to Julio Carvajal

‎04-04-2012 10:28 AM

I have configured the server side though, like my other ASA's and still it tunnels everything.  Let me see if I can post the config of the group policy I am using.

tunnel-group dbernstein-5505 type remote-access

tunnel-group dbernstein-5505 general-attributes

default-group-policy dbernstein_5505_GP

tunnel-group dbernstein-5505 ipsec-attributes

pre-shared-key *****

group-policy dbernstein_5505_GP internal

group-policy dbernstein_5505_GP attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value dbernstein-5505

nem enable

Let me know if anyone needs to see anything else in the config but I think this is the majority of it.

0 Helpful

netadmin
Level 1
Level 1
In response to netadmin

‎04-06-2012 10:08 AM

I have narrowed it down to a DNS issue.  I can get to internet sites via IP but not via name.  Have any of you seen this?  So it looks like split tunneling is working but DNS is all fouled up.  I disabled passing any DNS server info via the split tunnel GP and am using the DNS server provided by the ISP but still not working.

netadmin
Level 1
Level 1
In response to netadmin

‎04-06-2012 10:51 AM

Ok, I fixed it.  There was a setting in the global_policy that was doing something to DNS.  I unchecked the DNS option and now all is working!!

0 Helpful

josephholguin
Level 1
Level 1
In response to netadmin

‎02-26-2013 08:08 PM

I have the same problem with an ASA 5505 Easy VPN client.  The hosts on the inside LAN can resolve DNS while the tunnel is disconnected.  As soon as the tunnel is established, the hosts can no longer resolve DNS.  What setting did you change to fix this?

0 Helpful

vagelism22678
Level 1
Level 1
In response to netadmin

‎04-15-2019 12:20 PM

I am having the same problem. Any help?
0 Helpful

Peter Long
Level 1
Level 1

‎09-20-2016 12:29 AM

Ive had a problem with this this week, heres how to troubleshoot

Pete
0 Helpful
Customers Also Viewed These Support Documents