(ASA5510, ASA version 8.2(3)) I have set up split tunnelling for one of our suppliers. When testing the setup the local computer with the VPN Client connects to the dedicated services it has access to behind the ASA, and the local computer can ping any computer on the local LAN and it can also access the internet and webpages on the local network
But the supplier complaints that he cannot run a local Navision session on the remote computer while connected to the VPN tunnel. I am not able to run a test that mirrors this.
I have followed the descriptions in document ID: 70917 in setting up the split tunnelling, and as far as I can see, the setup works. But is there any restrictions laid on the local computer running the VPN Client in what services on the local network it can connect to?
There are no restrictions defined by the client itself, the ASA is the one in charge of defining what networks the client can access thru the tunnel. There is a way to limit access to certain ports thru the VPN connection, by using a VPN filter.
Thank you for your answer. Perhaps I haven't explained my problem precise enough, because you suggest investigating traffic on the inside af the ASA, and here are no problems. The VPN tunnel works fine and our supplier can reach the two servers at our corporate LAN.
The problem is at the supplier's own LAN, where he claims he can only connect to the internet and not to the Navision server situated at his own LAN when the VPN tunnel is active.
I have asked him to ping the Navision server when the VPN tunnel is up. And I'm waiting for his reply.
When I tested the setup from a different network, my TEST-LAN, the tunnel gave me access to the necessary services and serveres on the inside of the ASA, the corporate LAN. Conclusion: Succes. And when I pinged computers on the TEST-LAN, I got response: Succes.
But I don't have an applicationserver on my TEST-LAN to test up against. That was why I was interested in knowing if there are laid any access restrictions on the TEST-LAN for the computer running the VPN Client.
The client should not be affecting LOCAL traffic since it uses split-tunneling.
At this point, I would suggest connecting the VPN client, put a packet sniffer on the VPN network adapter and try to connect to the application, if split-tunneling is in place and this network is not included, then you should not see that traffic flowing thru the VPN tunnel.
Thank you for your dedication to help me. I'm not sure if the supplier is able to do that, so I will try to capture traffic from him on the ASA to see if any local adressed traffic is flowing through the tunnel - if thats possible.
But - I'm going home now and I can see you have just started your day. Tomorrow I will try to solve the issue.
As you wrote in your first answer, there are no restrictions accessing the LAN. It turned out to be a question about the Vista's credentials on the domain. The user couldn't open a Navision session after the VPN tunnel was established. When he was asked to open the Navision session first and then open the tunnel, everything worked fine.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...