Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Address Settings

All,

I'm trying to create a simple split tunnel client VPN that will basically give users access to their local LAN, but push everything else down the VPN tunnel.

I've created the VPN and it connects and authenticates fine, but I'm having a little trouble getting everything as I want.  This is my routing table on the client:

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0    172.22.60.254     172.22.60.12     20

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

       172.16.0.0      255.240.0.0    172.17.47.130    172.17.47.129    100

    172.17.47.128  255.255.255.128         On-link     172.17.47.129    276

    172.17.47.129  255.255.255.255         On-link     172.17.47.129    276

    172.17.47.255  255.255.255.255         On-link     172.17.47.129    276

      172.22.60.0    255.255.255.0         On-link      172.22.60.12    276

     172.22.60.12  255.255.255.255         On-link      172.22.60.12    276

     172.22.60.12  255.255.255.255    172.17.47.130    172.17.47.129    276

    172.22.60.208  255.255.255.255         On-link      172.22.60.12    100

    172.22.60.255  255.255.255.255         On-link      172.22.60.12    276

    172.22.60.255  255.255.255.255    172.17.47.130    172.17.47.129    276

  *OMITTED*     255.255.255.255    172.22.60.254     172.22.60.12    100

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link      172.22.60.12    276

        224.0.0.0        240.0.0.0         On-link     172.17.47.129    276

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link      172.22.60.12    276

  255.255.255.255  255.255.255.255         On-link     172.17.47.129    276

And this is the config on my ASA:

ASA Version 8.0(5)

!

hostname *OMITTED*

domain-name *OMITTED*

enable password OvnpyuUYk7lqxYR. encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

description Internal LAN Interface

nameif inside

security-level 100

ip address 172.22.85.250 255.255.255.0

!

interface GigabitEthernet0/1

description Public Facing Interface

nameif outside

security-level 0

ip address *OMITTED*

!

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa805-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name mwhglobal.com

access-list Tunnel-Group-HEY-Clients_splitTunnelAcl standard permit 172.16.0.0 255.240.0.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 172.17.47.128 255.255.255.128

access-list Inside_access_in extended permit ip any any

pager lines 24

logging enable

logging buffer-size 64000

logging asdm-buffer-size 200

logging buffered debugging

logging trap informational

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool Address-Pool-HEY-Clients 172.17.47.129-172.17.47.250 mask 255.255.255.128

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 0.0.0.0 0.0.0.0

access-group Inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 *OMITTED 1

route inside 172.16.0.0 255.240.0.0 172.22.85.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server HEYClients protocol radius

aaa-server HEYClients (inside) host 172.25.5.5

timeout 5

key ******

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.22.60.0 255.255.252.0 inside

http 172.22.80.0 255.255.248.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 172.22.60.0 255.255.252.0 inside

telnet 172.22.80.0 255.255.248.0 inside

telnet 172.22.80.0 255.255.252.0 outside

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh 172.22.60.0 255.255.252.0 inside

ssh 172.22.80.0 255.255.248.0 inside

ssh 172.22.80.0 255.255.252.0 outside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy Tunnel-Group-HEY-Clients internal

group-policy Tunnel-Group-HEY-Clients attributes

wins-server value 172.25.1.1 172.24.128.187

dns-server value 172.22.80.209 172.25.1.1

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Tunnel-Group-HEY-Clients_splitTunnelAcl

default-domain value mwhglobal.com

address-pools value Address-Pool-HEY-Clients

tunnel-group Tunnel-Group-HEY-Clients type remote-access

tunnel-group Tunnel-Group-HEY-Clients general-attributes

address-pool Address-Pool-HEY-Clients

authentication-server-group HEYClients

default-group-policy Tunnel-Group-HEY-Clients

tunnel-group Tunnel-Group-HEY-Clients ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e1a6855b8c0ad3c36811cff5083a729a

: end

So essentially I'd like 172.16.0.0/12 and 0.0.0.0/8 to route over the tunnel, but with the local LAN (in this instance 172.22.60.0/24) to route over the local LAN. 

Could you please advise on what changes I should make to accomplish this?

Thanks!

1 REPLY
Hall of Fame Super Silver

VPN Address Settings

Andrew

You give us the config, you explain in general what you want to achieve, and you tell us that it does not quite do what you want. But you do not give us any specifics about what it is doing, and what it is not doing that you want it to do. That makes it difficult to give you good suggestions about what might be the problem.

As a point of reference when I needed to allow local LAN access I configured something like this:

access-list Local_LAN_Access remark VPN Client Local LAN Access

access-list Local_LAN_Access standard permit host 0.0.0.0

and under the group policy attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

You might try something like that and see if it works better for you.

HTH

Rick

479
Views
0
Helpful
1
Replies
CreatePlease to create content