I have my split tunnel vpn working well but I need to make an adjustment. We have a few systems in the "cloud" and we only allow access from our corporate WAN IP to those servers. I need to be able to access those servers via VPN connection to the office. I added that public IP subnet to my interesting traffic and the vpn client is sending the traffic across the VPN as expected. The issue is that it somehow drops out inside the firewall it seems. Almost like it doesn't know how to route that request back out to the internet using it's own default gateway. Any thoughts as to what I may be missing, here is some of the relevant code
same-security-traffic permit intra-interface
access-list vpnpool standard permit 10.1.1.0 255.255.255.0
access-list vpnpool standard permit 10.31.26.0 255.255.255.0
access-list vpnpool standard permit 10.31.61.0 255.255.255.0
access-list vpnpool standard permit 10.31.3.128 255.255.255.192
access-list vpnpool standard permit 10.31.40.128 255.255.255.240
access-list vpnpool standard permit 10.31.40.64 255.255.255.192
access-list vpnpool standard permit 188.8.131.52 255.255.0.0 -- Network of cloud servers
global (outside) 1 184.108.40.206
global (dmz) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 10.1.1.0 255.255.255.0
nat (qa) 1 220.127.116.11 255.255.255.0
nat (dmz) 1 10.1.11.0 255.255.255.0
nat (dmz2) 1 192.168.1.0 255.255.255.0
---Rules and Gateway-------
access-group inbound in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 18.104.22.168 1
group-policy xxx-remote internal
group-policy xxx-remote attributes
wins-server value 10.1.1.5
dns-server value 10.1.1.5 10.1.1.6
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-network-list value vpnpool
default-domain value xxx.local
split-dns value xxxx.local
tunnel-group xxx-vpn type remote-access
tunnel-group xxx-vpn general-attributes
authentication-server-group (outside) RADIUS
authentication-server-group (dmz) RADIUS
tunnel-group xxx-vpn ipsec-attributes
I haven't done this with the older code in a while, but I believe it comes out to something like nat (outside) 1 x.x.x.x (the x being your IP of the VPN). Remember the RA VPN actually drops at the outside interface, not the inside, so it will have to be treated as such with the nat rules. I currently do this same thing you are trying to do on the 8.3 code.
I added the following line and my config and I was able to access my remote servers. The problem is that my ability to browse the rest of the internet stopped and I couldn't acecss other servers that are on a site to site vpn.
nat (Outside) 1 10.1.10.0 255.255.255.0
OK, should probably do it like this then.
nat (Outside) 1 access-list VPN-NAT
access-list VPN-NAT deny ip 10.1.10.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list VPN-NAT permit ip 10.1.10.0 255.255.255.0 any
This should deny the NAT for any traffic to your internal subnets while allowing it to be NATed for the external stuff. If you have other subnets other than 10.0.0.0/8, you can add them to the ACL with deny statements before the permit at the end.
I tried your suggestion but I got the following error...
ERROR: Deny rules not supported in Policy Nat
I put the following rules and everything seems to work fine execpt for browsing the internet. I can't tell if it's a DNS issue, the rest of the internet is not part of the interesting traffic ACL so I imagine it's not trying to go through the VPN but it seems I can't resolve DNS names.
access-list vpn_nat permit ip 10.1.10.0 255.255.255.0 22.214.171.124 255.255.0.0
nat (Outside) 1 access-list vpn_nat
That was my mistake, I am mixing up code here. The fun of switching between new and old ASA code as well as routers
Let's do it this way, this should fix the problem. Put the NAT command the way it was as follows:
nat (Outside) 1 10.1.10.0 255.255.255.0
Now we add a NAT0 for the Outside interface. You can reuse the ACL we made if you want or make a new one, your call since you have to administrate it.
no access-list VPN-NAT
access-list VPN-NAT0 permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.0.0.0
nat (Outside) 0 access-list VPN-NAT0
Now, this should properly NAT the traffic going to the Internet while excluding the traffic destined for your 10.0.0.0/8 subnet using the Nat 0.
Sorry for the round about fix, but that should take care of it.
So everything works except for the rest of the internet haha. Very close but it seems I can't get any DNS results back for some reason. Using nslookup I keep timing out when talking to 10.1.1.5 for DNS. I remove the nat statements and go back to my original config and all is well again.
My wireless adaptor is giving me a DNS entry of 10.1.10.1
My Cisco VPN adaptor is giving me a DNS entry of 10.1.1.5 (AD/DNS) server which is correct.
Nslookup is tell me I am using 10.1.1.5
Well, the .local as your DNS domain may be the issue. I'm not great with DNS, but I believe that is non-routable, so it won't pass. I could be way off base on this, but that is my thought on it. Everything else should be fine as long as you don't have an internal ACL on the inside interface (I don't see one, but not sure if you happened to exclude that).
Probably should have included an example. In my current split DNS setup for one of our remote access ASAs, we use specific domains we want to resolve inside. So if I was at google, I would use:
default-domain value google.com
split-dns value google.com