Problem with Split Tunneling

jjenkins-aks · ‎06-29-2011

I am attempting to set up split tunneling on a client-to-site VPN connection from an ASA 5505 using 8.2(1). Right now, clients can access the internet but cannot access local network resources such as a network printer.

The situation is this: Clients access the remote site to access a server via RDC on Mac OS X. They need to print from this server, and directly connected printers will work. Unfortunately, every time we try to print to the network printer on the local network, it shows "Searching for printer" and the job gets stuck in the queue. I know this is not a Mac issue since it also happens on Windows XP and Windows 7, and the job does reach the printer on the PC itself. This is indicative of the local network printer being inaccessible while connected to the VPN.

While using directly connected printers is a temporary solution, it is also expensive since cartridges need to be purchased for each one. Can anyone help me troubleshoot what I am missing in the configuration for split tunneling or if another issue exists? See config below. Thanks for any help.

: Saved

:

X.XASA Version 8.2(1)

!

hostname mas

domain-name XXXXXnet.net

enable password XXXX encrypted

passwd XXXX encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address X.X.69.6 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name aksitnet.net

access-list inside_nat0_outbound extended permit ip any 192.168.9.0 255.255.255.128

access-list splitanyconnect extended permit ip host 192.168.9.1 192.168.9.0 255.255.255.0

access-list splitanyconnect extended permit ip host 192.168.9.203 192.168.9.0 255.255.255.0

access-list splitanyconnect extended permit ip host 192.168.9.205 192.168.9.0 255.255.255.0

access-list splitanyconnect extended permit ip host 192.168.9.206 192.168.9.0 255.255.255.0

access-list splitanyconnect extended permit ip host 192.168.9.207 192.168.9.0 255.255.255.0

access-list splitanyconnect extended permit ip host 192.168.9.204 192.168.9.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1492

mtu outside 1492

ip local pool ipsecvpnpool01 192.168.9.60-192.168.9.99 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 X.X.69.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.9.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 21

telnet timeout 5

ssh 192.168.9.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.9.11-192.168.9.59 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server X.X.69.5 source outside prefer

webvpn

enable outside

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy anyconnect internal

group-policy anyconnect attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splitanyconnect

username ttelpirt password XXXX encrypted privilege 15

username jjenkins password XXXX encrypted privilege 15

username hheyser password XXXX encrypted privilege 1

username wgudim password XXXX encrypted privilege 1

username aarredondo password XXXX encrypted privilege 1

username crios password XXXX encrypted privilege 1

username sbrown password XXXX encrypted privilege 1

username egomes password XXXX encrypted privilege 1

username ckarris password XXXX encrypted privilege 1

username mtriplett password XXXX encrypted privilege 15

username icolin password XXXX encrypted privilege 1

username mgrina password XXXX encrypted privilege 1

username ichristner password XXXX encrypted privilege 1

username nthomas password XXXX encrypted privilege 1

username akovac password XXXX encrypted privilege 1

username martind password XXX encrypted privilege 1

username lburton password XXXX encrypted privilege 1

tunnel-group ipsecvpngroup01 type remote-access

tunnel-group ipsecvpngroup01 general-attributes

address-pool ipsecvpnpool01

tunnel-group ipsecvpngroup01 ipsec-attributes

pre-shared-key *

tunnel-group anyconnect_mas01 type remote-access

tunnel-group anyconnect_mas01 general-attributes

address-pool ipsecvpnpool01

default-group-policy anyconnect

tunnel-group anyconnect_mas01 webvpn-attributes

group-alias anyconnect_mas01 enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

smtp-server X.X.69.4

prompt hostname context

Cryptochecksum:9dd089013bd6522ee60230e7cb9667af

: end

no asdm history enable

mvsheik123 · ‎06-29-2011

Hi,

First of all, never use the same subnet for internal IPs & remote vpn client pool. You can make the things work, but will kill your time. As your internal IP 192.168.9.x , use vpn pool - 192.168.10.0 etc.

change your nat 0 ACL to cover your internal subnet (255.255.255.0) --> to new vpn pool.

If I remember correct, you can use standard ACL statement for your internal subnet in 'splitanyconnect '. No need to use extended.

Also, users try to access internal resources using 'ip or hostnames? if hostnames, you need to assign atleast one internal DNS for the remote vpn users under 'group policy'.

hth

MS

jjenkins-aks · ‎06-30-2011

Thank you, mvsheik123, for the reply.

I had a feeling that using the same DHCP might be an issue. Unfortunately, I didn't set this up originally and I would have to go through layers of red tape to get approval to use a new subnet. Are there any changes I can make while keeping the IP addresses that are already used to make this work?

The reason I'm using an extended ACL list is because the VPN users need only access those IPs that are listed. All other traffic destined out should not be marked interesting (hoping for an implicit deny, but not necessary). I had also tried switching it to a standard ACL statement that covered the entire subnet range 192.168.9.x/24, with no luck.

I set users to access internal resources by IP address only, so DNS is not an issue at all.

mvsheik123 · ‎06-30-2011

Hi,

I would prefer to change the IPs.. but it is completely upto you. Leaving everything intact.. you can try the below..

1. Based on your internal network infrastructure, add static route to your internal switch/router pointing to asa inside interface for each remote VPN assigned IP.

(or of you can change pool range to .65 to .94 you can use single subnet 192.168.9.64/255.255.255.224).

2. Add the static route on ASA for each remote VPN assigned IP pointing to your gateway.

3. Make sure when you connect using VPN, your client downloads the split tunnel ip list.

Try to initiate the connection and if that does not work, initiate a 'ping' from inside server to vpn client and on ASA enable 'debug icmp trace'' and see where the packets being dropped.

hth

MS