12-03-2010 02:34 PM
I'm trying to setup a 5505 to allow spit tunneling. The client connects encrypts traffic and I can access the remote LAN PCs. However, I have no internet access on the local machine. Please see config below and thanks!
ASA Version 7.2(4)
!
hostname
domain-name
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server x.x.x.x
name-server x.x.x.x
domain-name x.x.x.x
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list signspix_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.96 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.0.96 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.96 255.255.255.224
access-list Local_LAN_Access standard permit host 192.168.100.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 192.168.0.100-192.168.0.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns x.x.x.x
dhcpd auto_config outside
dhcpd option 3 ip 192.168.0.1
!
dhcpd address 192.168.0.10-192.168.0.41 inside
dhcpd enable inside
!
group-policy signspix internal
group-policy signspix attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value signspix_splitTunnelAcl
username x.x.x.x password x.x.x.x encrypted privilege 0
username x.x.x.x attributes
vpn-group-policy DfltGrpPolicy
username @dmin! password x.x.x.x encrypted privilege 15
username x.x.x.x password x.x.x.x encrypted privilege 0
username x.x.x.x attributes
vpn-group-policy DfltGrpPolicy
username x.x.x.x password x.x.x.x encrypted privilege 0
username x.x.x.x attributes
vpn-group-policy DfltGrpPolicy
tunnel-group signspix type ipsec-ra
tunnel-group signspix general-attributes
address-pool vpnpool
default-group-policy signspix
tunnel-group signspix ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
asdm image disk0:/asdm-524.bin
asdm location 0.0.0.0 255.255.255.255 inside
no asdm history enable
12-03-2010 02:41 PM
Firstly, the VPN pool subnet needs to be in a different subnet (unique subnet) than the internal network.
Then you would need to configure the NAT exemption accordingly with the new ip pool subnet:
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0
Then "clear xlate" after the changes, and reconnect to your VPN client. It should work after the above changes.
Hope that helps, and let us know how it goes.
12-03-2010 02:42 PM
I'll try it this evening. Thanks for the quick recommendation !
12-03-2010 06:48 PM
Have you de-selected "Use default gateway on remote network"? If not, then that would prevent access outside the tunnel. What I learned to do is this:
1.) Each user has an assigned IP address to their account (assuming the VPN accounts are local). Each host address is an increment of 5. I.e. I start with 192.168.101.1, 192.168.100.5, 192.168.100.10, etc..
2.) Then on the client the "Use default gateway on remote network" is de-selected.
3.) Finally on each client I do a route add using their assign IP. So for user Joe Schmoe with assign IP of 192.168.100.25, I do this route: "route -p add 10.10.1.0 MASK 255.255.255.0 192.168.100.25 metric 2"
Edit: Forgot to add in case you do not notice, but the command "route add" with the switch "-p" makes it persistent. Alternatively you can run a script that would take whatever IP address has been assigned and automatically add a non-persistent route using that given IP for the remote network.
12-18-2010 07:24 AM
Sorry for the delay in attempting this solution. I tried adding the lines below and I am still having the same issue. I can access the remote LAN, but I do not have internet access on the client.
ip local pool vpnpool 192.168.100.100-192.168.100.120 mask 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
12-18-2010 08:47 AM
Nevermind the above two lines worked like a charm. I forgot to apply the policy to individual users
Thanks for your help!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide