Solved: Re: VPN Split Tunneling Unsuccessful

ericn8484_2 · ‎12-03-2009

I am working on creating a split tunnel to work with a test vpn group profile. We have an external proxy service that slows users down when they are VPN'd in because their web traffic then goes through us. My goal is to configure only private IP's to come through the tunnel, any requests to public IP's should go straight out the users internet connection and not VPN.

I have created an ACL on the firewall that includes all of the standard private 192, 172, and 10 scope ips and I set the vpn group profile to only tunnel based on those IP addresses.

However when I perform this testing with the Cisco AnyConnect SSL VPN client and I look at the routing tab, it still shows 0.0.0.0 0.0.0.0 to go through the VPN tunnel and isn't splitting the traffic. I have not tested this on the orginal Cisco VPN client yet.

The configuration guides that I have looked seems to show I am setting it up correctly but am I missing anything?

Thanks

busterswt · ‎12-04-2009

Try swapping the source and destination in that ACL, then reconnect via client VPN and see if that makes a difference. You might also try specifying the local pool network used for the client VPN instead of 'any'.

View solution in original post

busterswt · ‎12-03-2009

Is there any chance you can post your ACLs, tunnel groups and group policies here?

Thanks,

James

ericn8484_2 · ‎12-04-2009

Sure, here is my test group configuration:

object-group network DM_INLINE_NETWORK_1

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

group-policy TESTVPN internal

group-policy TESTVPN attributes

wins-server value 172.16.9.221 172.16.9.222

dns-server value 172.16.9.221 172.16.9.222

vpn-idle-timeout 600

vpn-session-timeout 600

vpn-tunnel-protocol IPSec svc webvpn

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TESTVPN

secure-unit-authentication disable

user-authentication disable

nem enable

tunnel-group TESTVPN type remote-access

tunnel-group TESTVPN general-attributes

address-pool VPN_Pool

authentication-server-group VPN_Users

default-group-policy TESTVPN

dhcp-server 10.0.0.1

tunnel-group TESTVPN webvpn-attributes

group-alias TestVPN enable

tunnel-group TESTVPN ipsec-attributes

pre-shared-key *

busterswt · ‎12-04-2009

Do you have an access list named 'TESTVPN', and does it only include the networks you want traversing through the tunnel?

- James

ericn8484_2 · ‎12-04-2009

Ops, I apologize that I missed that part, the ACL created looks like:

access-list TESTVPN extended permit ip any object-group DM_INLINE_NETWORK_1

Which points to this:

object-group network DM_INLINE_NETWORK_1
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0

I did this via ADSM

busterswt · ‎12-04-2009

Try swapping the source and destination in that ACL, then reconnect via client VPN and see if that makes a difference. You might also try specifying the local pool network used for the client VPN instead of 'any'.

ericn8484_2 · ‎12-04-2009

Great tips, I will try those suggestions later this afternoon.

Thanks!