Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Split tunneling can't access remote host

Hi guys,

Having this issue whereby I'm able to connect the Anyconnect client but unable to ping/access remote servers. Do see below for the ASA config;

Any insight would be a great help, thanks!

ASA Version 9.1(1)

!

hostname ASA

enable password xxxxxxx encrypted

passwd xxxxxxxxxxxxx encrypted

names

ip local pool AnyPool 10.0.0.1-10.0.0.10 mask 255.255.255.0

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 203.106.x.x 255.255.255.224

!

interface GigabitEthernet0/1

nameif Internal

security-level 99

ip address 172.19.88.254 255.255.255.0

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

clock timezone MYT 8

object network SVR

host 172.19.88.11

description Mail server

object network NETWORK_OBJ_172.19.88.0_24

subnet 172.19.88.0 255.255.255.0

object network VPN-POOL

subnet 10.0.0.0 255.255.255.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_0

service-object icmp

service-object tcp-udp destination eq domain

service-object tcp destination eq hostname

service-object tcp destination eq https

service-object tcp destination eq imap4

service-object tcp destination eq nntp

service-object tcp destination eq pop3

service-object tcp destination eq smtp

service-object tcp destination eq telnet

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any object SVR

access-list Outside_access_in extended permit object-group TCPUDP any any

access-list Outside_access_in extended permit ip any any inactive

access-list Internal_access_in extended permit object-group TCPUDP any any

access-list Internal_access_in extended permit ip any any inactive

access-list SPLIT_TUNNEL standard permit 10.0.0.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging buffer-size 16384

logging buffered critical

logging asdm informational

logging debug-trace

logging flash-bufferwrap

logging rate-limit 1000 1 level 2

mtu management 1500

mtu Internal 1500

mtu Outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network SVR

nat (Internal,Outside) static 203.106.x.x

!

nat (Internal,Outside) after-auto source dynamic any interface

access-group Internal_access_in in interface Internal

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 203.106.23.97 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http authentication-certificate management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no sysopt connection permit-vpn

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=ASA

crl configure

crypto ca trustpoint Anyconnect_TrustPoint

enrollment self

subject-name CN=ASA

keypair anyconnect_rsa

crl configure

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpool policy

crypto ca certificate chain Anyconnect_TrustPoint

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable Outside client-services port 443

crypto ikev2 remote-access trustpoint Anyconnect_TrustPoint

telnet timeout 3

ssh 172.19.88.0 255.255.255.0 Internal

ssh 0.0.0.0 0.0.0.0 Outside

ssh timeout 15

console timeout 0

dhcpd address 192.168.1.100-192.168.1.200 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 119.110.97.148 source Outside prefer

ssl trust-point Anyconnect_TrustPoint Outside

webvpn

enable Outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3

anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml

anyconnect enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_TUNNEL

group-policy "GroupPolicy AnyConnect" internal

group-policy "GroupPolicy AnyConnect" attributes

wins-server value 172.19.88.11

dns-server value 172.19.88.11

vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

webvpn

  anyconnect profiles value AnyConnect_client_profile type user

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool AnyPool

tunnel-group "AnyConnect" type remote-access

tunnel-group "AnyConnect" general-attributes

address-pool AnyPool

default-group-policy "GroupPolicy AnyConnect"

tunnel-group "AnyConnect" webvpn-attributes

group-alias "AnyConnect" enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Split tunneling can't access remote host

Hi Max,

Please send me the output of "show vpn-sessiondb anyconnect" once connected with the VPN.

And try to add the following configuration and see if that helps:

nat (internal,Outside) 1 source static NETWORK_OBJ_172.19.88.0_24 NETWORK_OBJ_172.19.88.0_24 destination static VPN-POOL VPN-POOL no-proxy-arp route-lookup

And one more qusetion are you using split tunnel? If yes then you have to make the following changes because your split tunnel is incorrect, in the split tunnel you have configured the vpn pool address. Please make the following change:

no access-list SPLIT_TUNNEL standard permit 10.0.0.0 255.255.255.0

access-list SPLIT_TUNNEL standard permit 172.19.88.0 255.255.255.0

group-policy "GroupPolicy AnyConnect" attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_TUNNEL

Let me know if it helps or if you have any more question on this.

Thanks

Jeet Kumar

3 REPLIES
Cisco Employee

Split tunneling can't access remote host

Hi Max,

Please send me the output of "show vpn-sessiondb anyconnect" once connected with the VPN.

And try to add the following configuration and see if that helps:

nat (internal,Outside) 1 source static NETWORK_OBJ_172.19.88.0_24 NETWORK_OBJ_172.19.88.0_24 destination static VPN-POOL VPN-POOL no-proxy-arp route-lookup

And one more qusetion are you using split tunnel? If yes then you have to make the following changes because your split tunnel is incorrect, in the split tunnel you have configured the vpn pool address. Please make the following change:

no access-list SPLIT_TUNNEL standard permit 10.0.0.0 255.255.255.0

access-list SPLIT_TUNNEL standard permit 172.19.88.0 255.255.255.0

group-policy "GroupPolicy AnyConnect" attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_TUNNEL

Let me know if it helps or if you have any more question on this.

Thanks

Jeet Kumar

New Member

Split tunneling can't access remote host

Hi Kumar,

Thanks for replying. I got it working, it was the inside IP "access-list SPLIT_TUNNEL standard permit 10.0.0.0 255.255.255.0" I had to change it to 172.19.88.0.

Cisco Employee

Split tunneling can't access remote host

Thats Great. Please accept this as solution so that other can be benifitted out of it.

Jeet Kumar

385
Views
10
Helpful
3
Replies
CreatePlease login to create content