Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Split tunnel

We have an ASA acting as our VPN concentrator.  There are no L2L tunnels.  All routing is done from an upstream router that this device sits behind.  Currently the split tunnel works for all but one subnet the remote users are trying to hit.  Here are relevant parts of the config:

interface Vlan1

 nameif inside
 security-level 100
 ip address 172.16.16.3 255.255.248.0 
!             
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.0.3 255.255.248.0 

 

object network VPNpool
 range 172.16.17.240 172.16.17.249
 description VPNpool

 

access-list SPLIT standard permit 172.16.8.0 255.255.248.0 
access-list SPLIT standard permit 172.20.0.0 255.255.248.0 
access-list SPLIT standard permit 172.16.0.0 255.255.248.0 
access-list SPLIT standard permit 172.22.0.0 255.255.248.0 
access-list SPLIT standard permit 172.20.0.0 255.255.255.0 
access-list SPLIT standard permit 172.16.16.0 255.255.248.0

 

nat (outside,outside) source static any any destination static VPNpool VPNpool no-proxy-arp

 

group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
 banner value This is for authorized users only.
 wins-server none
 dns-server value 172.20.0.135
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT
 default-domain value (removed)
 address-pools value VPNpool
 webvpn       
  anyconnect ssl compression none
  anyconnect dtls compression none

 

S    172.16.17.244 255.255.255.255 [1/0] via 172.16.0.1, outside
C    172.16.16.0 255.255.248.0 is directly connected, inside
C    172.16.0.0 255.255.248.0 is directly connected, outside
S    172.20.0.0 255.255.248.0 [1/0] via 172.16.16.1, inside
S    172.22.0.0 255.255.248.0 [1/0] via 172.16.16.1, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 172.16.0.1, outside

 

So when connected to the split tunnel I can hit machines on the following subnets 172.16.16.0, 172.20.0.0, 172.22.0.0 but I'm unable to hit anything on 172.16.8.0.  I'm not 100% sure the NAT statement is even in use as there doesn't seem to be any translation actually going on.  Is there something wrong with my config? 

 

 

 

 

4 REPLIES

Looks like you have a missing

Looks like you have a missing route for 172.16.8.0 ?

New Member

But wouldn't this route allow

But wouldn't this route allow the 172.16.8.0?

C    172.16.0.0 255.255.248.0 is directly connected, outside

172.16.0.0 255.255.248.0

172.16.0.0 255.255.248.0 means 172.16.0.1 - 172.16.7.254 .

Does this cover your subnet 172.16.8.0 ?

New Member

Strange even after adding the

Strange even after adding the necessary route I'm still not able to hit anything at 172.16.8.0.  I guess I will need to confirm that the upstream device is allowing the traffic.

78
Views
0
Helpful
4
Replies
CreatePlease to create content