VPN Address Settings

andrewburridge · ‎10-31-2011

All,

I'm trying to create a simple split tunnel client VPN that will basically give users access to their local LAN, but push everything else down the VPN tunnel.

I've created the VPN and it connects and authenticates fine, but I'm having a little trouble getting everything as I want. This is my routing table on the client:

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 172.22.60.254 172.22.60.12 20

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

172.16.0.0 255.240.0.0 172.17.47.130 172.17.47.129 100

172.17.47.128 255.255.255.128 On-link 172.17.47.129 276

172.17.47.129 255.255.255.255 On-link 172.17.47.129 276

172.17.47.255 255.255.255.255 On-link 172.17.47.129 276

172.22.60.0 255.255.255.0 On-link 172.22.60.12 276

172.22.60.12 255.255.255.255 On-link 172.22.60.12 276

172.22.60.12 255.255.255.255 172.17.47.130 172.17.47.129 276

172.22.60.208 255.255.255.255 On-link 172.22.60.12 100

172.22.60.255 255.255.255.255 On-link 172.22.60.12 276

172.22.60.255 255.255.255.255 172.17.47.130 172.17.47.129 276

*OMITTED* 255.255.255.255 172.22.60.254 172.22.60.12 100

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 172.22.60.12 276

224.0.0.0 240.0.0.0 On-link 172.17.47.129 276

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 172.22.60.12 276

255.255.255.255 255.255.255.255 On-link 172.17.47.129 276

And this is the config on my ASA:

ASA Version 8.0(5)

!

hostname *OMITTED*

domain-name *OMITTED*

enable password OvnpyuUYk7lqxYR. encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

description Internal LAN Interface

nameif inside

security-level 100

ip address 172.22.85.250 255.255.255.0

!

interface GigabitEthernet0/1

description Public Facing Interface

nameif outside

security-level 0

ip address *OMITTED*

!

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa805-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name mwhglobal.com

access-list Tunnel-Group-HEY-Clients_splitTunnelAcl standard permit 172.16.0.0 255.240.0.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 172.17.47.128 255.255.255.128

access-list Inside_access_in extended permit ip any any

pager lines 24

logging enable

logging buffer-size 64000

logging asdm-buffer-size 200

logging buffered debugging

logging trap informational

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool Address-Pool-HEY-Clients 172.17.47.129-172.17.47.250 mask 255.255.255.128

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 0.0.0.0 0.0.0.0

access-group Inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 *OMITTED 1

route inside 172.16.0.0 255.240.0.0 172.22.85.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server HEYClients protocol radius

aaa-server HEYClients (inside) host 172.25.5.5

timeout 5

key ******

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.22.60.0 255.255.252.0 inside

http 172.22.80.0 255.255.248.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 172.22.60.0 255.255.252.0 inside

telnet 172.22.80.0 255.255.248.0 inside

telnet 172.22.80.0 255.255.252.0 outside

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh 172.22.60.0 255.255.252.0 inside

ssh 172.22.80.0 255.255.248.0 inside

ssh 172.22.80.0 255.255.252.0 outside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy Tunnel-Group-HEY-Clients internal

group-policy Tunnel-Group-HEY-Clients attributes

wins-server value 172.25.1.1 172.24.128.187

dns-server value 172.22.80.209 172.25.1.1

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Tunnel-Group-HEY-Clients_splitTunnelAcl

default-domain value mwhglobal.com

address-pools value Address-Pool-HEY-Clients

tunnel-group Tunnel-Group-HEY-Clients type remote-access

tunnel-group Tunnel-Group-HEY-Clients general-attributes

address-pool Address-Pool-HEY-Clients

authentication-server-group HEYClients

default-group-policy Tunnel-Group-HEY-Clients

tunnel-group Tunnel-Group-HEY-Clients ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e1a6855b8c0ad3c36811cff5083a729a

: end

So essentially I'd like 172.16.0.0/12 and 0.0.0.0/8 to route over the tunnel, but with the local LAN (in this instance 172.22.60.0/24) to route over the local LAN.

Could you please advise on what changes I should make to accomplish this?

Thanks!

Richard Burts · ‎10-31-2011

Andrew

You give us the config, you explain in general what you want to achieve, and you tell us that it does not quite do what you want. But you do not give us any specifics about what it is doing, and what it is not doing that you want it to do. That makes it difficult to give you good suggestions about what might be the problem.

As a point of reference when I needed to allow local LAN access I configured something like this:

access-list Local_LAN_Access remark VPN Client Local LAN Access

access-list Local_LAN_Access standard permit host 0.0.0.0

and under the group policy attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

You might try something like that and see if it works better for you.

HTH

Rick

HTH

Rick