Split tunnelling - access restrictions?

Unanswered Question
Apr 12th, 2012

(ASA5510, ASA version 8.2(3))  I have set up split tunnelling for one of our suppliers. When testing the setup the local computer with the VPN Client connects to the dedicated services it has access to behind the ASA, and the local computer can ping any computer on the local LAN and it can also access the internet and webpages on the local network

But the supplier complaints that he cannot run a local Navision session on the remote computer while connected to the VPN tunnel. I am not able to run a test that mirrors this.

I have followed the descriptions in document ID: 70917 in setting up the split tunnelling, and as far as I can see, the setup works. But is there any restrictions laid on the local computer running the VPN Client in what services on the local network it can connect to?

Regards

Ulrik

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
jportugu Thu, 04/12/2012 - 05:21

Dear Ulrik,

There are no restrictions defined by the client itself, the ASA is the one in charge of defining what networks the client can access thru the tunnel. There is a way to limit access to certain ports thru the VPN connection, by using a VPN filter.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

On the other hand, in order for to find the issue, I would recommend the following action plan:

1- Can you at least ping the server?

2- Configure a capture on the inside interface of the FW, as follows:

     capture capin interface inside match ip vpn_pool_network netmask host internal_server

     capture drop type asp all

3- Then use the application thru the tunnel and check the captures:

     show capture capin | inc vpn_client_ip

     show capture drop | inc vpn_client_ip

4- Extract the capture from the FW in order to analyze it wirh Wireshark:

     https://ip_address_ASA/capture/capin/pcap

5- Review the capture and verify the issue.

     a. "capin" capture: Do you see the TCP handshake?

          Does the server seem to respond?

     b. "drop" capture: Do you see the traffic generated by the client being dropped?

6- Logs from the FW would be useful as well.

Please let me know.

Thanks.

ulrikfriisjensen Thu, 04/12/2012 - 05:44

Thank you for your answer. Perhaps I haven't explained my problem precise enough, because you suggest investigating traffic on the inside af the ASA, and here are no problems. The VPN tunnel works fine and our supplier can reach the two servers at our corporate LAN.

The problem is at the supplier's own LAN, where he claims he can only connect to the internet and not to the Navision server situated at his own LAN when the VPN tunnel is active.

I have asked him to ping the Navision server when the VPN tunnel is up. And I'm waiting for his reply.

When I tested the setup from a different network, my TEST-LAN, the tunnel gave me access to the necessary services and serveres on the inside of the ASA, the corporate LAN. Conclusion: Succes. And when I pinged computers on the TEST-LAN, I got response: Succes.

But I don't have an applicationserver on my TEST-LAN to test up against. That was why I was interested in knowing if there are laid any access restrictions on the TEST-LAN for the computer running the VPN Client.

Regards

Ulrik 

jportugu Thu, 04/12/2012 - 06:02

Thanks for the clarification.

The client should not be affecting LOCAL traffic since it uses split-tunneling.

At this point, I would suggest connecting the VPN client, put a packet sniffer on the VPN network adapter and try to connect to the application, if split-tunneling is in place and this network is not included, then you should not see that traffic flowing thru the VPN tunnel.

Please keep me posted.

Thanks.

ulrikfriisjensen Thu, 04/12/2012 - 06:20

Hi Javier,

Thank you for your dedication to help me. I'm not sure if the supplier is able to do that, so I will try to capture traffic from him on the ASA to see if any local adressed traffic is flowing through the tunnel - if thats possible.

But - I'm going home now and I can see you have just started your day. Tomorrow I will try to solve the issue.

Regards

Ulrik

ulrikfriisjensen Mon, 04/16/2012 - 08:34

As you wrote in your first answer, there are no restrictions accessing the LAN. It turned out to be a question about the Vista's credentials on the domain. The user couldn't open a Navision session after the VPN tunnel was established. When he was asked to open the Navision session first and then open the tunnel, everything worked fine.

Thanks for your help.

Regards

Ulrik

Actions

Login or Register to take actions

This Discussion

Posted April 12, 2012 at 12:40 AM
Stats:
Replies:6 Avg. Rating:
Views:655 Votes:0
Shares:0
Categories: ASA
+

Related Content

Discussions Leaderboard