I am currently trying to configure an Easy VPN connection from an ASA 5505 to and ASA 5520. I have enabled split tunnelling and in the group policy defined the network to be tunneled but when I activate the VPN it tunnels everything from the host computer connected to the ASA 5505. I get no internet access. Have been trying to troubleshoot this for days. Any ideas out there?
Hee are some specifics, running version 8.2(5) on the 5505 and the 5520 and below is the local config on the 5505 for the Easy VPN:
vpnclient server **.***.***.**
vpnclient mode network-extension-mode
vpnclient vpngroup dbernstein-5505 password *****
vpnclient username dbernstein password *****
vpnclient ipsec-over-tcp port 10000
and the downloaded dynamic policy:
Current Server : 12.***.163.**
Primary DNS : ***.160.***.39
Default Domain : cisco.com
PFS Enabled : No
Secure Unit Authentication Enabled : No
User Authentication Enabled : No
Split Tunnel Networks : ***.160.***.0/255.255.255.0
Backup Servers : None
You need to enable (Spilit-tunnel Tunnel-Specified).
and define the Spilit Tunnel Value (Spilit-Tunnel-Value ((ACL Name)
Then, you will have to create an ACL specifying the Traffic to Be tunneled . The Above should Only ALLOW the Sataements created by your ACL for Spilit Tunneling.
Look at the exact command in the Group-Policy.
I was under the impression that when using the Easy VPN client all you need to configure for spilt tunneling was on the server side and the client recieved the Tunnel list from that group policy? I have another 5505 that is configured without a specified tunnel list on the client and it is working. I have the st-autoconnect enabled, wouldn't that be enough to engage the split tunneling?
You are correct. With Easy VPN, server pushed the policy to client. Do you have proper nat & global commands on the client ASA? (as these are required).
Her are my NAT and global commands, they are the same as my other ASA's, not sure what the heck is going on:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (work) 1 0.0.0.0 0.0.0.0
You need to configure the split tunnel policy on the server side so when you connect to the main office ASA ( VPN centralized end) all the traffic from your network being encrypted will be the one going to their subnet but your internet traffic will go normal to the outside world without being encrypted.
So the configuration on the SOHO device is okay, the problem is on the server side.
Do rate all the helpful posts
I have configured the server side though, like my other ASA's and still it tunnels everything. Let me see if I can post the config of the group policy I am using.
tunnel-group dbernstein-5505 type remote-access
tunnel-group dbernstein-5505 general-attributes
tunnel-group dbernstein-5505 ipsec-attributes
group-policy dbernstein_5505_GP internal
group-policy dbernstein_5505_GP attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-network-list value dbernstein-5505
Let me know if anyone needs to see anything else in the config but I think this is the majority of it.
I have narrowed it down to a DNS issue. I can get to internet sites via IP but not via name. Have any of you seen this? So it looks like split tunneling is working but DNS is all fouled up. I disabled passing any DNS server info via the split tunnel GP and am using the DNS server provided by the ISP but still not working.
Ok, I fixed it. There was a setting in the global_policy that was doing something to DNS. I unchecked the DNS option and now all is working!!
I have the same problem with an ASA 5505 Easy VPN client. The hosts on the inside LAN can resolve DNS while the tunnel is disconnected. As soon as the tunnel is established, the hosts can no longer resolve DNS. What setting did you change to fix this?