Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8617
Views
10
Helpful
4
Replies

Remote IPSec VPN - Windows 7 client and ASA 5505

Go to solution
pkoraca1987
Level 1
Level 1

‎12-21-2011 05:16 AM - edited ‎02-21-2020 05:47 PM

Hello

I have difficulties with configuring Remote IPSec VPN with Cisco ASA 5505 and Windows 7 native VPN client. My client PC gets VPN pool IP address, and can access remote network behind ASA, but then I lose my internet connectivity. I have read that this should be an issue with split tunneling, but I did as it is told here and no luck.

On Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have internet connectivity (since client is using local gateway), but then, I cannot ping remote network.

In log, I see this warnings of this type:

Teardown TCP connection 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0:00:00 bytes 0 Flow is a loopback (cisco)

I have attached my configuration file (without split-tunneling configuration I tried). If you need additional logs I'll send them right away.

Thank you for your help.

Petar Koraca

Labels:
119281-cisco_forum.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
raga.fusionet
Level 4
Level 4
In response to pkoraca1987

‎12-21-2011 07:08 AM

This is what you would had need on versions 8.3 and earlier:

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 192.168.150.0 255.255.255.0

However I see that you are running 8.4 so I think all you need is this(I've never done it on 8.4 so it might not be accurate)

same-security-traffic permit intra-interface

object network NETWORK_OBJ_192.168.150.0_24

  nat (outside,outside) dynamic interface

Give it a shot and let me know how it goes.

View solution in original post

4 Replies 4

Go to solution
raga.fusionet
Level 4
Level 4

‎12-21-2011 05:42 AM

Petar,

I'm not entirely sure that Split tunneling works with the Windows Native Client (called L2TP over IPSec Client), if I'm not mistaken that's a limitation of the client.

But you might want to give it a try. Here's what you would need:

access-list split_tun standard permit 192.168.1.0 255.255.255.0

group-policy DefaultRAGroup attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tun

If that still doesnt work then you migth want to either switch to the Cisco VPN client which does allow you to enable split tunneling or try to NAT the traffic for the Windows client thru your ASA (that will use your ASA's Internet connection provide the client with Internet access btw).

Give it a try and let us know how it goes.

Thanks

Raga

Go to solution
pkoraca1987
Level 1
Level 1
In response to raga.fusionet

‎12-21-2011 06:21 AM

Luis, thank you for your answer. Unfortunatly it seems that, like you said, split tunneling doesn't work with native client.

Are you familiar with the other solution, which would redirect all non-local trafic to gateway?

Thank you.

Petar Koraca

0 Helpful

Go to solution
raga.fusionet
Level 4
Level 4
In response to pkoraca1987

‎12-21-2011 07:08 AM

This is what you would had need on versions 8.3 and earlier:

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 192.168.150.0 255.255.255.0

However I see that you are running 8.4 so I think all you need is this(I've never done it on 8.4 so it might not be accurate)

same-security-traffic permit intra-interface

object network NETWORK_OBJ_192.168.150.0_24

  nat (outside,outside) dynamic interface

Give it a shot and let me know how it goes.

Go to solution
pkoraca1987
Level 1
Level 1
In response to raga.fusionet

‎12-21-2011 08:25 AM

It seems to be ok

I'll still test it tomorrow a little bit, and then proceed with LDAP/RADIUS integration.

Luis, thank you very much!

Petar Koraca

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents