• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Split-Tunnel Issues (ASA)

James Bond

James Bond

Diamond Member
I've got a RA VPN connection configured on a 5520.

The VPN seems to be set up fine. I have split tunneling enabled, so only data destined for the 192.168.201.x should be tunneled.

After connecting to the VPN (using Cisco client), I can only access resources through the tunnel. I'm not able to access any local resources on my end, or anything online. When I look at my VPN Client statistics, it shows that about 99% of my traffic is bypassing the VPN tunnel...

What am I doing wrong? It seems like the VPN tunnel is doing its job properly...
 
if you look at the route details of the client, is 192.168.201.x the only secured route? any local LAN routes? do you have "allow local LAN access" checked in the client? also, do you see the split-t networks/attributes being passed in the client log?

post your asa config please...
 
Thanks for the response. I didn't set up this ASA, but it's a huge mess, so sifting through can be difficult.

I'm just trying to get functionality, so I created a new network list which ONLY has their internal subnet (192.168.201.0). Therefore, any traffic that is NOT directed at 192.168.201.x should NOT be going through the tunnel.

I can't seem to find the "allow local LAN access" button on the client (I'm new to ASDM)
 
Yeah, I've looked at both -- Very basic configuration. The problem doesn't seem to be with the basic tunnel config, because I can verify that most packets are indeed bypassing the tunnel... Packets are going out, not coming back.
 
Here is a clip of our (cleaned) config. We use SplitTunnels and they work fine, hopefully this will be of some use to you.

access-list internalusers_splitTunnelAcl remark rules for internal users
access-list internalusers_splitTunnelAcl extended permit ip object-group XXXX-int-nets any
access-list internalusers_splitTunnelAcl extended permit ip 192.168.xx.0 255.255.255.0 any
access-list internalusers_splitTunnelAcl extended permit ip 192.168.x.0 255.255.255.0 any

access-list restrict_internalUsers extended permit tcp any 192.168.xxx.0 255.255.255.0 eq 3389
access-list restrict_internalUsers extended permit tcp any object-group server-int-nets eq www
access-list restrict_internalUsers extended permit tcp any object-group server-int-nets eq https


group-policy internalusers internal
group-policy internalusers attributes
banner value You have accessed a secure and monitored connection. If you have not been granted explicit
banner value permission to access this connection and its underlying systems you must disconnect immediately.
dns-server value 192.168.x.x 192.168.x.x
vpn-filter value restrict_internalUsers
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value internalusers_splitTunnelAcl

 
You must log in or register to reply here.

TRENDING THREADS

Back
Top