Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Remote IPSec VPN - Windows 7 client and ASA 5505

Hello

I have difficulties with configuring Remote IPSec VPN with Cisco ASA 5505 and Windows 7 native VPN client. My client PC gets VPN pool IP address, and can access remote network behind ASA, but then I lose my internet connectivity. I have read that this should be an issue with split tunneling, but I did as it is told here and no luck.

On Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have internet connectivity (since client is using local gateway), but then, I cannot ping remote network.

In log, I see this warnings of this type:

Teardown TCP connection 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0:00:00 bytes 0 Flow is a loopback (cisco)

I have attached my configuration file (without split-tunneling configuration I tried). If you need additional logs I'll send them right away.

Thank you for your help.

Petar Koraca

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Remote IPSec VPN - Windows 7 client and ASA 5505

This is what you would had need on versions 8.3 and earlier:

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 192.168.150.0 255.255.255.0

However I see that you are running 8.4 so I think all you need is this(I've never done it on 8.4 so it might not be accurate)

same-security-traffic permit intra-interface

object network NETWORK_OBJ_192.168.150.0_24

  nat (outside,outside) dynamic interface

Give it a shot and let me know how it goes.

4 REPLIES

Remote IPSec VPN - Windows 7 client and ASA 5505

Petar,

I'm not entirely sure that Split tunneling works with the Windows Native Client (called L2TP over IPSec Client), if I'm not mistaken that's a limitation of the client.

But you might want to give it a try. Here's what you would need:

access-list split_tun standard permit 192.168.1.0 255.255.255.0

group-policy DefaultRAGroup attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tun

If that still doesnt work then you migth want to either switch to the Cisco VPN client which does allow you to enable split tunneling or try to NAT the traffic for the Windows client thru your ASA (that will use your ASA's Internet connection provide the client with Internet access btw).

Give it a try and let us know how it goes.

Thanks

Raga

New Member

Remote IPSec VPN - Windows 7 client and ASA 5505

Luis, thank you for your answer. Unfortunatly it seems that, like you said, split tunneling doesn't work with native client.

Are you familiar with the other solution, which would redirect all non-local trafic to gateway?

Thank you.

Petar Koraca

Re: Remote IPSec VPN - Windows 7 client and ASA 5505

This is what you would had need on versions 8.3 and earlier:

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 192.168.150.0 255.255.255.0

However I see that you are running 8.4 so I think all you need is this(I've never done it on 8.4 so it might not be accurate)

same-security-traffic permit intra-interface

object network NETWORK_OBJ_192.168.150.0_24

  nat (outside,outside) dynamic interface

Give it a shot and let me know how it goes.

New Member

Re: Remote IPSec VPN - Windows 7 client and ASA 5505

It seems to be ok

I'll still test it tomorrow a little bit, and then proceed with LDAP/RADIUS integration.

Luis, thank you very much!

Petar Koraca

7639
Views
10
Helpful
4
Replies
CreatePlease to create content