ASA 5505 Split Tunneling Configured But Still Tunneling All Traffic

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Guest

ASA 5505 Split Tunneling Configured But Still Tunneling All Traffic

Post by Guest » Fri Dec 31, 2010 8:40 am

Hello, I have setup an ASA 5505 running 8.3.2 and the Cisco AnyConnect Client 2.5.2017. There is the DefaultRAGroup and a newly configured group called SplitTunnelNets. I have 1 internal subnet 192.168.223.0/24 that has a corresponding ACL/ACE configured on both the DefaultRAGroup and the custom Group Policy called SSLClientPolicy. When I intiate the VPN connection to the ASA, I can indeed reach internal resources, but when I look at the routing table, I see a new default gateway route 0.0.0.0/0 -> 192.168.25.2 (which is in the IP pool) with a metric of 2.  The default route before the AnyConnect session was initiated now has a higher metric, so the 192.168.25.2 next-hop is taking precedence. I do not see any routes in the routing table for 192.168.223.0/24 like I would expect to see.  In the AnyConnect diagnostics, I see that 0.0.0.0/0 is the policy applied to the client. Heres my configuration.  Please tell me if you see something that I am missing. ASA Version 8.3(2) !hostname asanames!interface Vlan1 nameif inside security-level 100 ip address 192.168.223.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address x.x.x.x 255.255.255.240 !interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa832-k8.binftp mode passiveclock timezone EST -5clock summer-time EDT recurringdns domain-lookup insidedns server-group DefaultDNS name-server 192.168.223.41 domain-name labs.comobject network obj_any subnet 0.0.0.0 0.0.0.0object network vpn-client-net subnet 192.168.25.0 255.255.255.0object network internal-net subnet 192.168.223.0 255.255.255.0object-group network DM_INLINE_NETWORK_1 network-object object internal-net network-object object vpn-client-netobject-group network DM_INLINE_NETWORK_2 network-object object internal-net network-object object vpn-client-netaccess-list SplitTunnelNets extended permit ip any 192.168.223.0 255.255.255.0 pager lines 24logging enablelogging asdm informationalmtu inside 1500mtu outside 1500ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0no failovericmp unreachable rate-limit 1 burst-size 1icmp permit any insideasdm image disk0:/asdm-635.binno asdm history enablearp timeout 14400nat (inside,any) source static internal-net internal-net destination static vpn-client-net vpn-client-net!object network obj_any nat (inside,outside) dynamic interfaceroute outside 0.0.0.0 0.0.0.0 x.x.x.x 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyaaa-server Labs-LDAP protocol ldapaaa-server Lab-LDAP (inside) host 192.168.223.41 server-port 636 ldap-base-dn dc=labs,dc=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn ldap-bind@labs.com ldap-over-ssl enable server-type microsofthttp server enablehttp 192.168.223.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto ca trustpoint ASDM_TrustPoint0 enrollment self keypair sslvpnkeypair crl configurecrypto ca trustpoint ASDM_TrustPoint1 keypair ASDM_TrustPoint1 crl configurecrypto ca certificate chain ASDM_TrustPoint0telnet 192.168.223.0 255.255.255.0 insidetelnet timeout 5ssh 192.168.223.0 255.255.255.0 insidessh timeout 5console timeout 0dhcpd auto_config outside! threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptntp server 192.5.41.41ntp server 192.5.41.40ssl trust-point ASDM_TrustPoint1 outsidewebvpn enable outside no anyconnect-essentials svc image disk0:/anyconnect-win-2.5.2017-k9.pkg 1 svc image disk0:/anyconnect-macosx-i386-3.0.0629-k9.pkg 2 svc image disk0:/anyconnect-linux-3.0.0629-k9.pkg 3 svc enable tunnel-group-list enablegroup-policy SSLClientPolicy internalgroup-policy SSLClientPolicy attributes dns-server value 192.168.223.41 vpn-tunnel-protocol svc split-tunnel-policy tunnelspecified split-tunnel-network-list value SplitTunnelNets default-domain value labs.com split-dns value labs.com address-pools value SSLClientPool webvpn  svc keep-installer installedgroup-policy DfltGrpPolicy attributes dns-server value 192.168.223.41 split-tunnel-policy tunnelspecified split-tunnel-network-list value SplitTunnelNets default-domain value coyotelabs.com service-type remote-accesstunnel-group SSLClientProfile type remote-accesstunnel-group SSLClientProfile general-attributes authentication-server-group CoyoteLabs-LDAP default-group-policy SSLClientPolicytunnel-group SSLClientProfile webvpn-attributes group-alias CoyoteLabs enable!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 512policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options !service-policy global_policy globalprompt hostname context Cryptochecksum:95b7ff58b54e02948a14b225eec1a990: end

Guest

Re:ASA 5505 Split Tunneling Configured But Still Tunneling All Traffic

Post by Guest » Fri Dec 31, 2010 8:54 am

The split tunnel access-list has to be standard access-list, not extended access-list. You would need to change the following:FROM: access-list SplitTunnelNets extended permit ip any 192.168.223.0 255.255.255.0 TO: access-list SplitTunnelNets standard permit 192.168.223.0 255.255.255.0 You should be able to reconnect again, and will be able to access the Internet after configuring the split tunnel with standard access-list. Hope that helps.

Guest

Re:ASA 5505 Split Tunneling Configured But Still Tunneling All Traffic

Post by Guest » Fri Dec 31, 2010 9:21 am

Thanks Jennifer!  That did the trick! I really appreciate your help!!!

Guest

Re:ASA 5505 Split Tunneling Configured But Still Tunneling All Traffic

Post by Guest » Fri Dec 31, 2010 10:57 am

Just for clarification, the access-list does not need to be a standard  access-list. You can use an extended access-list too. The reason your  extended access-list wasn working as you wanted was because it was defined in the wrong order. To use an extended access-list for split-tunneling  in VPN, you put the "internal" network (192.168.223.0) in the source position and the  vpn pool network (192.168.25.0 or any) in the desitination position. So this is what the extended acl would look like in your scenario: access-list SplitTunnelNets extended permit ip 192.168.223.0 255.255.255.0 192.168.25.0 255.255.255.0 -heather Please remember to rate all posts that helped you and mark the question as resolved if this addressed your question.

Guest

Re:ASA 5505 Split Tunneling Configured But Still Tunneling All Traffic

Post by Guest » Fri Dec 31, 2010 11:53 am

Excellent information!!! This is...by far...the most helpful forum Im a member of and its because of responses like Heathers and Jennifers!!! Thanks again to both of you!!! 

Post Reply