cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5090
Views
0
Helpful
28
Replies

VPN client unable to access Internert via split tunneling.

sifurobbie
Level 1
Level 1

I have split tunneling configured on a PIX 515. The remote VPN client connects to the PIX fine and can ping hosts on the internal LAN, but cannot access the Internet. Am I missing something? My config as per below.

Also, I don't see any secured routes on the VPN client via Statistics (screen shot below)

Capture.JPG

Any advice is much appreciated.

Rob

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

PIX Version 8.0(3)

!

hostname PIX-A-250

enable password xxxxx encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address x.x.x.250 255.255.255.240

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

passwd xxxxx encrypted

ftp mode passive

dns domain-lookup outside

dns server-group Ext_DNS

name-server 194.72.6.57

name-server 194.73.82.242

object-group network LOCAL_LAN

network-object 192.168.9.0 255.255.255.0

network-object 192.168.88.0 255.255.255.0

object-group service Internet_Services tcp

port-object eq www

port-object eq domain

port-object eq https

port-object eq ftp

port-object eq 8080

port-object eq telnet

object-group network WAN_Network

network-object 192.168.200.0 255.255.255.0

access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log

access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log

access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log

access-list ACLIN extended permit icmp any any echo-reply log

access-list ACLIN extended permit icmp any any unreachable log

access-list ACLIN extended permit icmp any any time-exceeded log

access-list split_tunnel_list remark Local LAN

access-list split_tunnel_list standard permit 192.168.9.0 255.255.255.0

access-list NONAT extended permit ip object-group LOCAL_LAN 192.168.100.0 255.255.255.0

pager lines 24

logging enable

mtu outside 1500

mtu inside 1500

ip local pool testvpn 192.168.100.1-192.168.100.99

no failover  

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group ACLIN in interface outside

access-group ACLOUT in interface inside

route outside 0.0.0.0 0.0.0.0 195.171.252.45 1

route inside 192.168.88.0 255.255.255.0 192.168.88.254 1

route inside 192.168.199.0 255.255.255.0 192.168.199.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set Set_1

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 280000

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha    

group 2     

lifetime 43200

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha    

group 2     

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

group-policy testvpn internal

group-policy testvpn attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

username testuser password xxxxxx encrypted

tunnel-group testvpn type remote-access

tunnel-group testvpn general-attributes

address-pool testvpn

default-group-policy testvpn

tunnel-group testvpn ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5dcb5dcdff277e1765a9a0c366b88b9e

: end

PIX-A-250#

28 Replies 28

You would need to configure the following:

1) On ASA:

route inside 192.168.88.0 255.255.255.0 192.168.9.2 1

2) On switch:

Remove:

ip route 192.168.88.0 255.255.255.0 192.168.9.1

3) Then from vpn client, try to ping 192.168.88.254

Hi Jennifer,

No change with the above lines.

Regards,

Rob

Hi Robert,

What's the status of Vlan inteface 88 on switch 3550? is it up/up? can you ping it's ip 192.168.88.254 from PIX?

Can you paste the result of "tracert 192.168.88.254" from your PC when connected by VPN?

Hi Robert,

Bsed on your posted configs..

1. Change on PIX:

route inside 192.168.88.0 255.255.255.0 192.168.9.2 1  --> switch Vlan interface ip.

route inside 192.168.199.0 255.255.255.0 192.168.9.2 1  ->Switch Vlan interface on the ip.

2.Switch:

ip route 0.0.0.0 0.0.0.0 192.168.9.1 : correct

ip route 192.168.88.0 255.255.255.0 192.168.9.1 :Remove. No need. It is pointing traffic back to PIX again.

ip route 192.168.100.0 255.255.255.0 192.168.9.1 : Correct

ip route 192.168.200.0 255.255.255.0 192.168.9.1 : Correct.

As all these Vlan are on the same switch, you do not need any routes.

make sure all the Vlan interfaces are up/up status.

Try it an let us know.

hth

MS

Hello MS,

I made the changes on the PIX and switch. I took out all the routes on the 3560 switch except ip route 0.0.0.0 0.0.0.0 192.168.9.1 and still not able to ping 192.168.88.254 or 88.3 when connected via the VPN client. I can confirm all the Vlans are up and up.

Many thanks for your help.

Regards,

Rob

Hi,

Vlan88 is up and up. And I can ping both 192.168.88.254 and 88.3 from the PIX fine. This a tracert from the laptop when connected via VPN.

C:\>tracert 192.168.88.254

Tracing route to 192.168.88.254 over a maximum of 30 hops

  1     *        *        *     Request timed out.

  2     *        *        *     Request timed out.

  3     *        *        *     Request timed out.

  4     *        *        *     Request timed out.

  5     *        *        *     Request timed out.

  6     *        *        *     Request timed out.

  7     *        *        *     Request timed out.

  8     *        *        *     Request timed out.

  9     *        *        *     Request timed out.

10     *        *        *     Request timed out.

11     *        *        *     Request timed out.

12     *        *     ^C

Thanks,

Rob

Hi Rob,

How about tracert to internal host whic you can ping ? How is that tracert different?

Also paste "ipconfig /all" when you are connected via VPN.

Thanks,

Hi singhsaju,

I can't ping anything on the internal LAN from the VPN client.

The ipconfig/all from the VPN machine below.

Regards,

Rob

C:\>ipconfig/all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PC-Micro-007

   Primary Dns Suffix  . . . . . . . : zarlink.com

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : zarlink.com

                                       gateway.2wire.net

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Cisco Systems VPN Adapter for 64-bit Wind

ows

   Physical Address. . . . . . . . . : 00-05-9A-3C-78-00

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::64cb:25b2:3b0e:2190%23(Preferred)

   IPv4 Address. . . . . . . . . . . : 192.168.100.1(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :

   DHCPv6 IAID . . . . . . . . . . . : 587203994

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4F-F3-A6-D4-BE-D9-21-F9-93

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1

                                       fec0:0:0:ffff::2%1

                                       fec0:0:0:ffff::3%1

   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)

   Physical Address. . . . . . . . . : 9C-B7-0D-55-E9-A4

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : gateway.2wire.net

   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205

   Physical Address. . . . . . . . . : 8C-70-5A-0F-C6-80

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::95c4:f7ac:f0d2:fabc%13(Preferred)

   IPv4 Address. . . . . . . . . . . : 192.168.1.99(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Lease Obtained. . . . . . . . . . : 27 June 2012 14:38:28

   Lease Expires . . . . . . . . . . : 28 June 2012 14:38:27

   Default Gateway . . . . . . . . . : 192.168.1.254

   DHCP Server . . . . . . . . . . . : 192.168.1.254

   DHCPv6 IAID . . . . . . . . . . . : 344748122

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4F-F3-A6-D4-BE-D9-21-F9-93

   DNS Servers . . . . . . . . . . . : 192.168.1.254

   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{FAED1AAA-90D9-433B-ABDC-45B6B312C849}:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Microsoft ISATAP Adapter

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Microsoft 6to4 Adapter

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:102e:1f88:3f57:fe9c(Pref

erred)

   Link-local IPv6 Address . . . . . : fe80::102e:1f88:3f57:fe9c%12(Preferred)

   Default Gateway . . . . . . . . . : ::

   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.gateway.2wire.net:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : gateway.2wire.net

   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{044050C7-0B86-4EE9-B6BD-3A711A635EA1}:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

Could you pls paste the latest config of ASA/PIX VPN headend? It seems to be a routing issue.

Hi Singhsaju,

The PIX config as requested below. It's configured for site-2-site as well as VPN.

Many thanks,

Rob

hostname PIX-A-250

enable password u18pNfr9.K1XyMs encrypted

names

!

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address x.x.x.250 255.255.255.240

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

passwd 2KFQ;lko89*cR.YOU encrypted

ftp mode passive

dns domain-lookup outside

dns server-group EXT_DNS

name-server 194.72.6.57

name-server 194.73.82.242

object-group network LOCAL_LAN

network-object 192.168.9.0 255.255.255.0

network-object 192.168.88.0 255.255.255.0

network-object 192.168.100.0 255.255.255.0

object-group service Internet_Services tcp

port-object eq www

port-object eq domain

port-object eq https

port-object eq ftp

port-object eq 8080

port-object eq telnet

object-group network WAN_Network

network-object 192.168.200.0 255.255.255.0

access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log

access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log

access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log

access-list ACLIN extended permit icmp any any echo-reply log

access-list ACLIN extended permit icmp any any unreachable log

access-list ACLIN extended permit icmp any any time-exceeded log

access-list inside_nat0_outbound extended permit ip 192.168.9.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group LOCAL_LAN object-group WAN_Network

access-list outside_cryptomap_20 extended permit ip 192.168.9.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip object-group LOCAL_LAN object-group WAN_Network

access-list split_tunnel_list remark Local LAN

access-list split_tunnel_list standard permit 192.168.9.0 255.255.255.0

access-list split_tunnel_list standard permit 192.168.88.0 255.255.255.0

access-list split_tunnel_list standard permit 192.168.200.0 255.255.255.0

access-list NONAT extended permit ip object-group LOCAL_LAN 192.168.100.0 255.255.255.0

pager lines 24

logging enable

mtu outside 1500

mtu inside 1500

ip local pool testvpn 192.168.100.1-192.168.100.99

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/pdm

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group ACLIN in interface outside

access-group ACLOUT in interface inside

route outside 0.0.0.0 0.0.0.0 195.171.252.45 1

route inside 192.168.88.0 255.255.255.0 192.168.9.2 1

route inside 192.168.199.0 255.255.255.0 192.168.9.2 1

route outside 192.168.200.0 255.255.255.0 192.168.9.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set Set_1

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 280000

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer x.x.x.253

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

group-policy testvpn internal

group-policy testvpn attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

username tester password j9078hjkgF90P encrypted

tunnel-group x.x.x.253 type ipsec-l2l

tunnel-group x.x.x.253 ipsec-attributes

pre-shared-key *

tunnel-group testvpn type remote-access

tunnel-group testvpn general-attributes

address-pool testvpn

default-group-policy testvpn

tunnel-group testvpn ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e21fdd69da06ff27300190f22999610e

: end

You've changed your NAT exemption from the original config, that's why it's not working.

Pls add the following ACL:

access-list inside_nat0_outbound extended permit ip 192.168.88.0 255.255.255.0 192.168.100.0 255.255.255.0

Hi Jennifer,

After adding the ACL it worked. Now the VPN client can ping the internal LAN. Many thanks for your time and effort helping with this issue.

Many thanks to Singhsaju and mvsheik123  for your input too. Just want to say what a great forum this is.

Best Regards,

Rob

Robert- Thanks for the update and glad to hear that.

Jennifer- good catch on ACL .

Thx

MS

Hi Robert,

Glad to know it's working now.

thanks