I'm trying to configure split tunneling on a site to site vpn connection using an ASA 5505 at the remote site and a 5520 at the HQ site.
The tunnel is established and both inside networks can communicate but I want users at the remote site to use thier local ISP for internet.
In the ASDM 6.4 I browsed to "Remote Access VPN" and selected "Group Policies" under the "Network (Client) Access" drop down. From there I selected my tunnel group policy, selected edit and under the "Advanced", "Split Tunneling" I de-selected the "Inherit" checkboxes on "Policy" and "Network List".
In the "Policy" drop down I selected "Exclude Network List Below" and in the "Network List" drop down I created an extended ACL with two ACE's. One allowing ANY ANY on http and another allowing ANY ANY on https. I named that ACL "Split_Tunnel" and then selected that name under the "Network List" drop down.
I'm missing something because this in itself doesn't allow clients behind the ASA to get internet access.
I should also mention that the remote site is using DSL with a static IP and the modem is configured with DMZ hosting to pass that public IP over to the outside interface of the ASA. The ASA's outside interface is pulling a DHCP address from the DSL modem and the modem is NATting the traffic between the private IP handed to the ASA and the public IP forwarded from the modem.
As I said, both inside networks on the local and remote inside LAN's are communicating. I just cant get the users of the remote network to use the DSL for internet access.
Solved! Go to Solution.
I just happen to have that handy so here ya go!
ASA Version 8.4(2)
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
switchport access vlan 2
ip address 10.100.100.1 255.255.255.0
ip address dhcp setroute
boot system disk0:/asa842-k8.bin
ftp mode passive
object network local-lan
subnet 10.100.100.0 255.255.255.0
object network remote-lan
subnet 10.100.200.0 255.255.255.0
object-group network obj_any
object-group protocol TCPUDP
access-list cryptomap extended permit ip object local-lan object remote-lan
access-list split_tunnel extended permit tcp object local-lan any eq www
access-list split_tunnel extended permit tcp object local-lan any eq https
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set 5505trans esp-aes-256 esp-sha-hmac
crypto map outside 1 match address cryptomap
crypto map outside 1 set pfs
crypto map outside 1 set peer XXX.XXX.XXX.XXX
crypto map outside 1 set ikev1 transform-set 5505trans
crypto map outside interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy 5505_policy internal
group-policy 5505_policy attributes
split-tunnel-network-list value split_tunnel
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX general-attributes
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
ikev1 pre-shared-key *****
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cheers, thanks for the update.
In simple words (hopefully ):
1) nat (inside,outside) source static local-lan local-lan destination static remote-lan remote-lan:
--> no NATing between your local subnet when destination is towards remote LAN subnet.
2) object network obj-10.100.100.0
subnet 10.100.100.0 255.255.255.0
nat (inside,outside) dynamic interface
--> for any other destination, PAT that to the ASA outside interface IP Address (public IP).