split tunnel policy not working

Unanswered Question
Oct 12th, 2009
User Badges:

Dear All,

I setup a site to site vpn between 4 sites with asa 5510 at the HQ.The remote sites will have access the internet from the ISA server at the HQ site.But my split tunneling config does not work.Here is the asa config.Please Help.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kolawole1 Tue, 10/13/2009 - 08:34
User Badges:

I am trying to ping from the remote office router lan interface a public ip address.

I think with split tunneling i should be able to access the internet from the HQ.

Thank you.

Well there are a couple of things, that you need to ensure are happening:-

1) The remote end has a default route into the VPN tunnel

2) The default routing is not being natt'd into the VPN tunnel

3) At the HQ site you need to NAT the remote subnet IP on the outside interface

4) For ping to work you need to allow ICMP ech-reply on the outside of the HQ interface


kolawole1 Tue, 10/13/2009 - 10:33
User Badges:

Dear Sir,

I am using radio links for connectivity between the sites not the internet.Furtheremore the asa is not the internet gateway (no public ip assigned) the asa is serving only as a vpn concenrtrator passing internet traffic to a microsoft ISA server (on the ASA LAN interface) which is connected to the ISP ADSL modem.

ICMP is allowed.

kolawole1 Wed, 10/14/2009 - 09:55
User Badges:

The remote end has the ip address of the outside interface of the asa as default gateway.The ISA server policy does not allow pings but the internet traffic is allowed.Hosts in HQ have access to internet.The ISA server is connected to the the ADSL modem,(the isa server is on the LAN interface as well as internel users).

Thank you.

The default gateway pointing to the outside interface of the VPN termination interface is not a way I would do it. I would point the default gateway to the internal router on the HQ LAN that handles all the internal default routing.

What do you mean "The ISA server policy does not allow pings" ? does this mena you cannot even ping the LAN facing interface (inside) od the ISA server?

You really need to confirm connectivity from the remote ends into the HQ network before you start with the ISA server.


This Discussion