Solved: VPN Split-Tunneling not working

Lemon Lime · ‎07-01-2013

Hello,

First off - thanks to all who post here. I often browse the forums and search for help on here and its very useful, so a great pat on the back for everyone who contributes. My first time posting so here goes.....

I have my ASA 5505 v8.2 configured to allow AnyConnect. This is working. Client can connect and access the remote systems through VPN. What is causing me a massive headache is that the client loses internet connectivity. I have played around with my config somewhat so what I am about to post I know for certain is incorrect but any help is greatly appreciated.

Notes

1. The Router was set up for a standard site-to-site VPN which is no longer functional but as you can see all the settings are still in the router.

2. The router also has a DMZ setup to allow some clients access to the internet through it using the DMZ

CONFIGURATION:

ASA Version 8.2(5)

!

hostname MYHOST

enable password mUUvr2NINofYuSh2 encrypted

passwd UNDrnIuGV0tAPtz2 encrypted

names

name x.x.x.x AIME-SD

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.101.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.0.0

!

interface Vlan7

no forward interface Vlan1

nameif DMZ

security-level 20

ip address 137.57.183.1 255.255.255.0

!

ftp mode passive

clock timezone MST -7

object-group network obj_any_dmz

access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255 .255.0

access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.25 5.0

access-list split-tunneling standard permit 192.168.101.0 255.255.255.0

access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list no_nat

nat (inside) 1 access-list nonat

nat (DMZ) 10 137.57.183.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 192.168.8.0 255.255.255.0 192.168.101.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable 64000

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set batus esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map batus 100 match address 10

crypto map batus 100 set peer AIME-SD

crypto map batus 100 set transform-set batus

crypto map batus interface outside

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

subject-name CN=MYHOST

keypair ClientX_cert

crl configure

crypto ca certificate chain ASDM_TrustPoint1

certificate 0f817951

308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105

05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30

1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d

31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117

30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648

86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648

86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430

1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3

4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9

db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c

783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886

f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8

b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821

fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9

7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3

63ebd49d 30dd06f4 e0fa25

quit

crypto isakmp enable outside

crypto isakmp policy 40

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 DMZ

ssh timeout 10

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

ssl trust-point ASDM_TrustPoint1 outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

group-policy ClientX_access internal

group-policy ClientX_access attributes

vpn-tunnel-protocol svc

split-tunnel-network-list value split-tunneling

default-domain value access.local

address-pools value Internal_Range

ipv6-address-pools none

webvpn

svc mtu 1406

svc rekey time none

svc rekey method ssl

username ClientX password ykAxQ227nzontdIh encrypted privilege 15

username ClientX attributes

vpn-group-policy ClientX_access

service-type admin

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *****

tunnel-group ClientX type remote-access

tunnel-group ClientX general-attributes

address-pool Internal_Range

default-group-policy ClientX_access

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy ClientX_access

tunnel-group ClientX_access type remote-access

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:e7d92a387d1c5f07e14b3c894d159ec1

: end

-----------------------

Thank you for any help!!

Karsten Iwen · ‎07-01-2013

In your group-policy you specified the ACL that should be used for Split-Tunneling, but you forgot to change the policy, so the ASA still uses tunnel-all. Here is what you need:

group-policy ClientX_access attributes

split-tunnel-network-list value split-tunneling

split-tunnel-policy tunnelspecified

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

rkumar5 · ‎07-01-2013

Hi Simon,

Please send the output of the following when you are connected to the Anyconnect

Show vpn-sesiondb svc

This would confirm us what is the group-policy that is selected.

Regards

Raj Kumar

Karsten Iwen · ‎07-01-2013

In your group-policy you specified the ACL that should be used for Split-Tunneling, but you forgot to change the policy, so the ASA still uses tunnel-all. Here is what you need:

group-policy ClientX_access attributes

split-tunnel-network-list value split-tunneling

split-tunnel-policy tunnelspecified

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Lemon Lime · ‎07-01-2013

Karsten!

That fixed my internet access problem. Yippee!

Unfortunately it seems to have broken my access to the internal network. Boo!

I can no longer access/ping anything on the internal IP range (192.168.101.x).

I assume this is a nat issue somewhere along the line. Posting the top half of my config for any assistance and the info requested by Raj (although VPN is connecting fine). Thank you both for your very prompt replies!!!

Short Config

object-group network obj_any_dmz

access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.255.0

access-list split-tunneling standard permit 192.168.101.0 255.255.255.0

access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list no_nat

nat (inside) 1 access-list nonat

nat (DMZ) 10 137.57.183.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 207.229.2.129 1

route inside 192.168.8.0 255.255.255.0 192.168.101.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

Show vpn-sessiondb svc

Session Type: SVC

Username : ClientX Index : 9

Assigned IP : 192.168.101.125 Public IP : x.x.x.x

Protocol : Clientless SSL-Tunnel DTLS-Tunnel

License : SSL VPN

Encryption : RC4 AES128 Hashing : MD5 SHA1

Bytes Tx : 11662 Bytes Rx : 62930

Group Policy : ClientX_access Tunnel Group : DefaultWEBVPNGroup

Login Time : 22:40:56 MST Mon Jul 1 2013

Duration : 0h:11m:08s

Inactivity : 0h:00m:00s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

Karsten Iwen · ‎07-02-2013

well, your NA-config is really strange. Doesn't look like if it could work at all. But for VPN you need nat-exemption. For that you have to extend the ACL that is used for this function:

access-list no_nat extended permit ip 192.168.101.0 255.255.255.0 192.168.101.0 255.255.255.0

If your VPN-pool had been aligned on a subnet-border, the ACL could have been specified more exactly. But this exempt the VPN traffic from NAT.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Lemon Lime · ‎07-02-2013

I have made Karsten's initial response as the correct answer, as this did fix the tunnel issue.

Many thanks for your assistance.

Karsten Iwen · ‎07-02-2013

I have made Karsten's initial response as the correct answer, as this did fix the tunnel issue.

Thanks for that. But more important: Is it working now as expected?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Lemon Lime · ‎07-02-2013

Sadly no.

This is frustrating to say the least. I have made some change to my configuration as I realized I should not be using the same IP range as my internal network for my VPN clients.

I made a new discussion here:

https://supportforums.cisco.com/thread/2226279?tstart=0

Fernando Magalhaes · ‎07-03-2013

I had the same trouble here on my environment.

have you tried to use LDAP Attributes?