Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

split tunnel policy not working

Dear All,

I setup a site to site vpn between 4 sites with asa 5510 at the HQ.The remote sites will have access the internet from the ISA server at the HQ site.But my split tunneling config does not work.Here is the asa config.Please Help.

Thanks.

7 REPLIES

Re: split tunnel policy not working

What exactly is not working?

Community Member

Re: split tunnel policy not working

I am trying to ping from the remote office router lan interface a public ip address.

I think with split tunneling i should be able to access the internet from the HQ.

Thank you.

Re: split tunnel policy not working

Well there are a couple of things, that you need to ensure are happening:-

1) The remote end has a default route into the VPN tunnel

2) The default routing is not being natt'd into the VPN tunnel

3) At the HQ site you need to NAT the remote subnet IP on the outside interface

4) For ping to work you need to allow ICMP ech-reply on the outside of the HQ interface

5) DEBUG DEBUG DEBUG

Community Member

Re: split tunnel policy not working

Dear Sir,

I am using radio links for connectivity between the sites not the internet.Furtheremore the asa is not the internet gateway (no public ip assigned) the asa is serving only as a vpn concenrtrator passing internet traffic to a microsoft ISA server (on the ASA LAN interface) which is connected to the ISP ADSL modem.

ICMP is allowed.

Re: split tunnel policy not working

Do the remote end have a default gateway of the ASA of the internal IP of the ISA server?

Can you ping the internal IP of the ISA server from the remote ends?

What devices are the VPN's terminated on at the remote ends?

Community Member

Re: split tunnel policy not working

The remote end has the ip address of the outside interface of the asa as default gateway.The ISA server policy does not allow pings but the internet traffic is allowed.Hosts in HQ have access to internet.The ISA server is connected to the the ADSL modem,(the isa server is on the LAN interface as well as internel users).

Thank you.

Re: split tunnel policy not working

The default gateway pointing to the outside interface of the VPN termination interface is not a way I would do it. I would point the default gateway to the internal router on the HQ LAN that handles all the internal default routing.

What do you mean "The ISA server policy does not allow pings" ? does this mena you cannot even ping the LAN facing interface (inside) od the ISA server?

You really need to confirm connectivity from the remote ends into the HQ network before you start with the ISA server.

337
Views
0
Helpful
7
Replies
CreatePlease to create content