Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASA remote VPN Split Tunnel issue.

Split tunnel is not working properly. When I am changing split tunnel policy to tunnel-specified .At that time I am not able to access the intenal LAN. When I am making it to tunnel-all , I am able to access the LAN. I require both Internet & LAN at the same time . Please help

access-list NONAT extended permit ip 172.16.100.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list NONAT extended permit ip 172.16.100.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list NONAT extended permit ip 172.16.100.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list NONAT extended permit ip 192.168.19.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list NONAT extended permit ip 192.168.19.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list NONAT extended permit ip 192.168.19.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list NONAT extended permit ip 192.168.19.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list NONAT extended permit ip any 172.16.100.0 255.255.255.0

access-list INTERNET extended permit icmp any any

access-list yatravpn_splitTunnelAcl standard permit 172.16.100.0 255.255.255.0

access-list yatravpn_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0

----------------------------------------------------------------------------------------------------

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto map INTERNET_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map INTERNET_map interface INTERNET

crypto isakmp enable INTERNET

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy yatravpn internal

group-policy yatravpn attributes

dns-server value 192.168.32.104 192.168.28.14

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

split-tunnel-network-list value yatravpn_splitTunnelAcl

default-domain value xyz.com

vpn-group-policy yatravpn

tunnel-group yatravpn type remote-access

tunnel-group yatravpn general-attributes

address-pool yatrapool

default-group-policy yatravpn

tunnel-group yatravpn ipsec-attributes

pre-shared-key *

Regards,

HARI

Everyone's tags (1)
1 REPLY
Hall of Fame Super Silver

Re: ASA remote VPN Split Tunnel issue.

Your command:

split-tunnel-policy tunnelall

should be:

split-tunnel-policy tunnelspecified

also, in your acl the second line is all you need since it is a superset of the first:

access-list yatravpn_splitTunnelAcl standard permit 172.16.100.0 255.255.255.0

access-list yatravpn_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0

507
Views
0
Helpful
1
Replies
CreatePlease login to create content