Split-Tunnel Issues (ASA)

Toggle sidebar Toggle sidebar
James Bond

James Bond

Diamond Member
Jan 21, 2005
6,023
0
0
I've got a RA VPN connection configured on a 5520.

The VPN seems to be set up fine. I have split tunneling enabled, so only data destined for the 192.168.201.x should be tunneled.

After connecting to the VPN (using Cisco client), I can only access resources through the tunnel. I'm not able to access any local resources on my end, or anything online. When I look at my VPN Client statistics, it shows that about 99% of my traffic is bypassing the VPN tunnel...

What am I doing wrong? It seems like the VPN tunnel is doing its job properly...
 
J

jlazzaro

Golden Member
May 6, 2004
1,743
0
0
if you look at the route details of the client, is 192.168.201.x the only secured route? any local LAN routes? do you have "allow local LAN access" checked in the client? also, do you see the split-t networks/attributes being passed in the client log?

post your asa config please...
 
James Bond

James Bond

Diamond Member
Jan 21, 2005
6,023
0
0
Thanks for the response. I didn't set up this ASA, but it's a huge mess, so sifting through can be difficult.

I'm just trying to get functionality, so I created a new network list which ONLY has their internal subnet (192.168.201.0). Therefore, any traffic that is NOT directed at 192.168.201.x should NOT be going through the tunnel.

I can't seem to find the "allow local LAN access" button on the client (I'm new to ASDM)
 
James Bond

James Bond

Diamond Member
Jan 21, 2005
6,023
0
0
Yeah, I've looked at both -- Very basic configuration. The problem doesn't seem to be with the basic tunnel config, because I can verify that most packets are indeed bypassing the tunnel... Packets are going out, not coming back.
 
T

Tommouse

Senior member
Feb 29, 2004
986
0
0
Here is a clip of our (cleaned) config. We use SplitTunnels and they work fine, hopefully this will be of some use to you.

access-list internalusers_splitTunnelAcl remark rules for internal users
access-list internalusers_splitTunnelAcl extended permit ip object-group XXXX-int-nets any
access-list internalusers_splitTunnelAcl extended permit ip 192.168.xx.0 255.255.255.0 any
access-list internalusers_splitTunnelAcl extended permit ip 192.168.x.0 255.255.255.0 any

access-list restrict_internalUsers extended permit tcp any 192.168.xxx.0 255.255.255.0 eq 3389
access-list restrict_internalUsers extended permit tcp any object-group server-int-nets eq www
access-list restrict_internalUsers extended permit tcp any object-group server-int-nets eq https


group-policy internalusers internal
group-policy internalusers attributes
banner value You have accessed a secure and monitored connection. If you have not been granted explicit
banner value permission to access this connection and its underlying systems you must disconnect immediately.
dns-server value 192.168.x.x 192.168.x.x
vpn-filter value restrict_internalUsers
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value internalusers_splitTunnelAcl

 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom