Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1877
Views
0
Helpful
3
Replies

Cisco ASA VPN Route Question

mwhitlow
Level 1
Level 1

‎05-04-2011 11:36 AM

I have an ASA 5510 running 8.4x and am using a remote access L2TP/IPSEC VPN. The VPN works great. My issue is that I want to populate the client's routing table with a route dynamically when it's connected to the VPN. If I do a Windows "route add XX" the connectivity works, but I can not figure out how to make the ASA VPN stick the route in the client's table.   Any help would be apprecaited. Thanks much!

Mike

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-04-2011 02:09 PM

Mike,

AFAIK no l2tp over ipsec implementation supports split-tunneling which seems to be what you're after.

Alternatively (but I don't L2TP on windows side allows this) you could auto launch a script with routes upon connection.

Marcin

0 Helpful

Parminder Sian
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-05-2011 03:01 AM

Hi,

Split tunneling is not supported for L2tp connections. Please go through following doc for workaround:-

http://technet.microsoft.com/en-us/library/bb878117.aspx

Hope this helps,

Regards,

Parminder Sian

0 Helpful

mwhitlow
Level 1
Level 1
In response to Parminder Sian

‎05-13-2011 12:33 PM

Thanks for all of the responses.

TAC told me the same thing, that split tunneling was not possible on l2tp-ipsec. Then they said it was, but only for Windows XP clients.

With combination of TAC help and my own trial and error I was able to come up with this configuration on the ASA and it works on XP, Windows 7, Windows 2003, and a Mac:

!INTERNAL NETWORK

route inside 192.168.111.128 255.255.255.192 192.168.222.1 1

!INTERNAL DNS SERVER

route inside 192.168.200.100 255.255.255.255 192.168.222.1 1

!ACL MATCHES STATIC ROUTES

access-list TUNNEL-THIS standard permit 192.168.111.128 255.255.255.192

access-list TUNNEL-THIS standard permit host 192.168.200.100

!THE MAGIC

group-policy DefaultRAGroup attributes

  dns-server value 192.168.200.100

  vpn-tunnel-protocol ikev1 l2tp-ipsec

  ipsec-udp enable

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value TUNNEL-THIS

  intercept-dhcp 255.255.255.0 enable

The only caviet is that some clients do not use the VPN provided DNS server 192.168.200.100 after they connect to the VPN; they use their original one they had from their main network stack. In my case this means that they can only connect to internal resources by IP and not by DNS name.

0 Helpful
Customers Also Viewed These Support Documents