cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4179
Views
0
Helpful
28
Replies

VPN client unable to access Internert via split tunneling.

sifurobbie
Level 1
Level 1

I have split tunneling configured on a PIX 515. The remote VPN client connects to the PIX fine and can ping hosts on the internal LAN, but cannot access the Internet. Am I missing something? My config as per below.

Also, I don't see any secured routes on the VPN client via Statistics (screen shot below)

Capture.JPG

Any advice is much appreciated.

Rob

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

PIX Version 8.0(3)

!

hostname PIX-A-250

enable password xxxxx encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address x.x.x.250 255.255.255.240

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

passwd xxxxx encrypted

ftp mode passive

dns domain-lookup outside

dns server-group Ext_DNS

name-server 194.72.6.57

name-server 194.73.82.242

object-group network LOCAL_LAN

network-object 192.168.9.0 255.255.255.0

network-object 192.168.88.0 255.255.255.0

object-group service Internet_Services tcp

port-object eq www

port-object eq domain

port-object eq https

port-object eq ftp

port-object eq 8080

port-object eq telnet

object-group network WAN_Network

network-object 192.168.200.0 255.255.255.0

access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log

access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log

access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log

access-list ACLIN extended permit icmp any any echo-reply log

access-list ACLIN extended permit icmp any any unreachable log

access-list ACLIN extended permit icmp any any time-exceeded log

access-list split_tunnel_list remark Local LAN

access-list split_tunnel_list standard permit 192.168.9.0 255.255.255.0

access-list NONAT extended permit ip object-group LOCAL_LAN 192.168.100.0 255.255.255.0

pager lines 24

logging enable

mtu outside 1500

mtu inside 1500

ip local pool testvpn 192.168.100.1-192.168.100.99

no failover  

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group ACLIN in interface outside

access-group ACLOUT in interface inside

route outside 0.0.0.0 0.0.0.0 195.171.252.45 1

route inside 192.168.88.0 255.255.255.0 192.168.88.254 1

route inside 192.168.199.0 255.255.255.0 192.168.199.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set Set_1

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 280000

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha    

group 2     

lifetime 43200

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha    

group 2     

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

group-policy testvpn internal

group-policy testvpn attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

username testuser password xxxxxx encrypted

tunnel-group testvpn type remote-access

tunnel-group testvpn general-attributes

address-pool testvpn

default-group-policy testvpn

tunnel-group testvpn ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5dcb5dcdff277e1765a9a0c366b88b9e

: end

PIX-A-250#

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

You have not assigned the split tunnel ACL to your policy.

Pls configure the following:

group-policy testvpn attributes

   split-tunnel-network-list value split_tunnel_list

View solution in original post

You've changed your NAT exemption from the original config, that's why it's not working.

Pls add the following ACL:

access-list inside_nat0_outbound extended permit ip 192.168.88.0 255.255.255.0 192.168.100.0 255.255.255.0

View solution in original post

28 Replies 28

Jennifer Halim
Cisco Employee
Cisco Employee

You have not assigned the split tunnel ACL to your policy.

Pls configure the following:

group-policy testvpn attributes

   split-tunnel-network-list value split_tunnel_list

Hi Jennifer,

Thank you for your reply. I must have missed the configuration. I could see the secure networks appear in the secured routes in the VPN client after inserting the missing line of config.

Thank you very much for spotting my mistake.

Regards,

Robert

No problem. Pls kindly mark the post as answered so others can learn from your question. Thank you.

Hi Jennifer,

I have added another network to the PIX and can see it as a secured route via the VPN client.

access-list split_tunnel_list standard permit 192.168.88.0 255.255.255.0

I can access the Internet fine, but can't ping anything on the 192.168.88.0 network when I VPN in.

Could you advise again please?

Many thanks.

Pls also add the NONAT access-list:

access-list NONAT extended permit ip 192.168.88.0 255.255.255.0 192.168.100.0 255.255.255.0

Hi Jennifer,

Thank you for your prompt response. I'm still not able to ping the local LAN 192.168.88.0 from my VPN client machine 192.168.100.1 with the access list added.

Any ideas?

Many thanks.

This route is also incorrect:

route inside 192.168.88.0 255.255.255.0 192.168.88.254 1

It should be routed towards the next hop in the same subnet as the ASA inside interface:

route inside 192.168.88.0 255.255.255.0 192.168.9.x

Hi Jennifer,

Sorry, but changing that route didn't work. Is there another reason?

Regards,

Rob

Can you share your latest config pls.

Also, where is this 192.168.88.0/24 subnet connected? Can you ping it from the ASA?

Hello Jennifer,

I can ping the 192.168.88.0/24 (host 88.3) from my PIX fine. The 88 subnet hangs off a 2950 switch. This is my diagram.

My configs are as follows. Please note I have left out the suggested lines of config from above as they had no effect.

Very much appreciate your time and effort with my issue.

Many thanks,

Rob

PIX A

PIX Version 8.0(3)

!

hostname PIX-A-250

enable password NBhgOL6eDYkO4RHk encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address x.x.x.250 255.255.255.240

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

passwd k85be8tPM1XyMs encrypted

ftp mode passive

dns domain-lookup outside

dns server-group Ext_DNS

name-server 194.72.6.57

name-server 194.73.82.242

object-group network LOCAL_LAN

network-object 192.168.9.0 255.255.255.0

network-object 192.168.88.0 255.255.255.0

object-group service Internet_Services tcp

port-object eq www

port-object eq domain

port-object eq https

port-object eq ftp

port-object eq 8080

port-object eq telnet

object-group network WAN_Network

network-object 192.168.200.0 255.255.255.0

access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log

access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log

access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log

access-list ACLIN extended permit icmp any any echo-reply log

access-list ACLIN extended permit icmp any any unreachable log

access-list ACLIN extended permit icmp any any time-exceeded log

access-list split_tunnel_list remark Local LAN

access-list split_tunnel_list standard permit 192.168.9.0 255.255.255.0

access-list split_tunnel_list standard permit 192.168.88.0 255.255.255.0

access-list split_tunnel_list standard permit 192.168.200.0 255.255.255.0

access-list NONAT extended permit ip object-group LOCAL_LAN 192.168.100.0 255.255.255.0

pager lines 24

logging enable

mtu outside 1500

mtu inside 1500

ip local pool testvpn 192.168.100.1-192.168.100.99

no failover  

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group ACLIN in interface outside

access-group ACLOUT in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.252.45 1

route inside 192.168.88.0 255.255.255.0 192.168.88.254 1

route inside 192.168.199.0 255.255.255.0 192.168.199.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set Set_1

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 280000

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha    

group 2     

lifetime 43200

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha    

group 2     

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

group-policy testvpn internal

group-policy testvpn attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

username robbie password mbztSskhuas90P encrypted

tunnel-group testvpn type remote-access

tunnel-group testvpn general-attributes

address-pool testvpn

default-group-policy testvpn

tunnel-group testvpn ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5dcb5dcdff277e1765a9a0c366b88b9e

: end

3560_GW Gateway

test_gw01#sh run

Building configuration...

Current configuration : 2221 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname test_gw01

!

enable secret 5 $1$cOB4$UDjkhs&$FjQBe8/rc30

!

no aaa new-model

system mtu routing 1500

ip subnet-zero

ip routing

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!        

vlan internal allocation policy ascending

!        

interface GigabitEthernet0/1

!        

interface GigabitEthernet0/2

description uplink to Cisco_PIX

switchport access vlan 9

!        

interface GigabitEthernet0/3

!        

interface GigabitEthernet0/4

!        

interface GigabitEthernet0/5

!        

interface GigabitEthernet0/6

!        

interface GigabitEthernet0/7

!        

interface GigabitEthernet0/8

!        

interface GigabitEthernet0/9

!        

interface GigabitEthernet0/10

!        

interface GigabitEthernet0/11

!        

interface GigabitEthernet0/12

!        

interface GigabitEthernet0/13

!

interface GigabitEthernet0/14

!

interface GigabitEthernet0/15

!

interface GigabitEthernet0/16

!

interface GigabitEthernet0/17

!

interface GigabitEthernet0/18

!

interface GigabitEthernet0/19

!

interface GigabitEthernet0/20

!

interface GigabitEthernet0/21

!

interface GigabitEthernet0/22

!

interface GigabitEthernet0/23

switchport access vlan 88

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/24

switchport access vlan 9

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/25

description trunk to 2950_SW_A port 1

switchport trunk encapsulation dot1q

!

interface GigabitEthernet0/26

!

interface GigabitEthernet0/27

description trunk to A_2950_112 port 1

switchport trunk encapsulation dot1q

shutdown

!

interface GigabitEthernet0/28

!

interface Vlan1

no ip address

shutdown

!        

interface Vlan9

  ip address 192.168.9.2 255.255.255.0

!

interface Vlan88

ip address 192.168.88.254 255.255.255.0

!

interface Vlan199

ip address 192.168.199.254 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.9.1

ip route 192.168.88.0 255.255.255.0 192.168.9.1

ip route 192.168.100.0 255.255.255.0 192.168.9.1

ip route 192.168.200.0 255.255.255.0 192.168.9.1

ip http server

!

!

control-plane

!

banner motd ^C This is a private network.^C

!

line con 0

line vty 0 4

login

line vty 5 15

login   

!        

end      

This route on the 3550 switch is incorrect and should be removed:

ip route 192.168.88.0 255.255.255.0 192.168.9.1

Once you removed that route, can you please try to ping 192.168.88.254 from the VPN Client?

Hi Jennifer,

Not able to ping 192.168.88.254 after removing - ip route 192.168.88.0 255.255.255.0 192.168.9.1.

Rob

That is weird since 192.168.88.254 (Vlan 88) is a directly connected network on that switch, so you don't need route for its own subnet.

Then on the ASA, you should configure the following route:

route inside 192.168.88.0 255.255.255.0 192.168.9.2 1

instead of:

route inside 192.168.88.0 255.255.255.0 192.168.88.254 1

Hi Jennifer,

I tried with route inside 192.168.88.0 255.255.255.0 192.168.9.2 1 previously, but the VPN client is still not able to ping the 192.168.88.3 client.

I appreciate your time, effort and patience with this problem.

Rob

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: