vpn and split-tunnel-network-list value

elite2010 · ‎12-07-2015

Hi,

I have the following settings , for a vpn tunnel

group-policy Gpo_VPN internal

group-policy Gpo_VPN attributes

wins-server none

vpn-simultaneous-logins 3

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-ACL

nat (Inside,any) source static 192.168.1.10 192.168.1.10 destination static VPN-A VPN-A

nat (Inside,any) source static 192.168.1.50 192.168.1.50 destination static VPN-A VPN-A

nat (Inside,any) source static 192.168.1.20 192.168.1.20 destination static VPN-A VPN-A

access-list VPN-ACL extended permit ip host 192.168.1.50 object VPN-A

access-list VPN-ACL extended permit ip host 192.168.1.20 object VPN-A

The issue even i am not permitted 1.10 in th ACL ,stil i am getting reply once connected to vpn

Thank you

rvarelac · ‎12-10-2015

Hi elite2010,

Make sure your are connected to the right group-policy, you can use the command "Show vpn-sessionsdb anyconnect "

Hope it helps

-Randy-

elite2010 · ‎12-17-2015

Hi,

As per the access list i should have access only to the network 192.168.100.0.

Then but i got access to another one server (192.168.101.10)which is in another network .

made sure users connected using the right policy .

Then changed address pool value of group policy GP-NOACCESS as below
address-pools value VPN_POOL ( before it was inherting )

After changing address pool value, i lost the access to the server 192.168.110.10
But still vpn client shows there is route to the server 192.168.110.10

c:\ route print

network destination netmask gateway interface
192.168.100.0 255.255.255.0 172.16.100.12 172.16.100.11
192.168.110.10 255.255.255.255 172.16.100.12 172.16.100.11

Why it still shows in route table of client ?

What happens the address pool value changed

i followed the below doc from cisco

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

configurations are below

ip local pool VPN_POOL 172.16.100.10-172.16.1.254 mask 255.255.255.0
access-list VPNAcl standard permit 192.168.100.0 255.255.255.0
nat (Inside,Outside) source static SERVERS SERVERS destination static N_OBJ_172.16.100.10_24 N_OBJ_172.16.100.10_24 no-proxy-arp route-lookup

aaa-server ldapgroup protocol ldap
aaa-server ldapgroup (Inside) host DOMAIN-IP
ldap-base-dn DC=company ,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=vpnconnect ,OU=MYOU,DC=company,DC=local
server-type microsoft
ldap-attribute-map MAPUSER

created NoACCESS group
-----------------------------------------------------------------

group-policy GP-NOACCESS internal
group-policy GP-NOACCESS attributes
banner value test
dns-server value x.x.x.x
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
default-domain value
address-pools value VPN_POOL

Created A tunnel group set default group policy as GP-NOACCESS
-----------------------------------------------------------

tunnel-group VPNTG type remote-access
tunnel-group VPNTG general-attributes
address-pool VPN_POOL
authentication-server-group ldapgroup
default-group-policy GP-NOACCESS
tunnel-group VPNTG webvpn-attributes
group-alias VPNTG enable

Then Created Another group policy

group-policy GP-ACCESS internal
group-policy GP-ACCESS attributes
wins-server none
dns-server value DOMAINIP
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-ACL
default-domain value
split-tunnel-all-dns disable

atlast mapped

ldap attribute-map MAPUSER
map-name memberOf Group-Policy
map-value memberOf "CN=FINANCE,OU=MYOU,DC=company ,DC=local" GP

Thanks

rvarelac · ‎12-17-2015

Is the entry 192.168.110.10 , still present even with the VPN disconnected ? Based on the mask looks like this might be an static entry created on the PC.

-Randy-

elite2010 · ‎12-18-2015

Hi,

The route is visible only when vpn is conencted ,

Why gateway shows 172.16.100.12

Thank you