Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
870
Views
0
Helpful
1
Replies

VPN Clients getting different default gateways

ken
Level 1
Level 1

‎09-12-2013 08:19 AM

Hello,

     We have a new Cisco ASA 5520 and are trying to setup the VPN with split tunneling.  We mostly have clients running XP and the problem is that some of the clients connect (using Cisco Anyconnect 2.5) and the split tunneling works as expected --these clients keep their default gateway-- and then some clients connect and get a default gateway of 192.168.119.1 (our VPN addresses subnet) and of course these users cannot connect to the internet while connected to the VPN.

Here is our config:

ASA Version 9.1(1)
!
hostname xxxxxx

names
name 178.239.80.0 Deny178.239.80.0 description 178.239.80.0
name 74.82.64.0 Deny74.82.64.0 description 74.82.64.0
name 173.247.32.0 Deny173.247.32.0 description 173.247.32.0
name 193.109.81.0 Deny193.109.81.0 description 193.109.81.0
name 204.187.87.0 Deny204.187.87.0 description 204.187.87.0
name 206.51.26.0 Deny206.51.26.0 description 206.51.26.0
name 206.53.144.0 Deny206.53.144.0 description 206.53.144.0
name 67.223.64.0 Deny67.223.64.0 description 67.223.64.0
name 93.186.16.0 Deny93.186.16.0 description 93.186.16.0
name 216.9.240.0 Deny216.9.240.0 description 216.9.240.0
name 68.171.224.0 Deny68.171.224.0 description 68.171.224.0
ip local pool PAIUSERS 192.168.119.10-192.168.119.100 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 63.86.112.194 255.255.255.192
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.129.5 255.255.255.192
!
interface GigabitEthernet0/2
nameif dmz
security-level 10
ip address 192.168.20.10 255.255.255.0
!
interface GigabitEthernet0/3
nameif vpn_dmz
security-level 25
ip address 192.168.30.10 255.255.255.0
!
interface Management0/0
management-only
shutdown
nameif management
security-level 100
ip address 192.168.102.4 255.255.255.0
!

object network obj-192.168.119.0
subnet 192.168.119.0 255.255.255.0

access-list outside_access_in extended permit ip host 192.168.119.11 host 192.168.35.23
access-list outside_access_in extended permit object-group TCPUDP any4 object-group DM_INLINE_NETWORK_3 object-group UDP_TCP_Domain inactive
access-list outside_access_in extended permit udp any4 object obj-192.168.30.11 eq isakmp
access-list outside_access_in extended permit ip any4 object obj-192.168.30.11
access-list outside_access_in extended permit udp any4 object obj-192.168.30.11 object-group UDP10000
access-list outside_access_in extended permit udp any4 object-group DM_INLINE_NETWORK_7 eq domain inactive
access-list outside_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_8 eq domain inactive
access-list outside_access_in extended permit tcp host 216.81.43.190 host 192.168.35.30 eq ssh inactive
access-list outside_access_in extended permit tcp host 216.81.43.190 object obj-192.168.35.30 object-group DM_INLINE_TCP_6 inactive
access-list outside_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_9 eq www inactive
access-list outside_access_in extended permit tcp any4 object obj-192.168.30.11 eq www
access-list outside_access_in extended permit esp any4 object obj-192.168.30.11
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.41 eq www
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.41 eq https
access-list outside_access_in extended permit tcp any4 host 192.168.35.34 eq https
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.30 object-group Ports_UDpTCP
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.30 object-group DM_INLINE_TCP_7
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.30 eq ftp
access-list outside_access_in extended permit object-group TCPUDP any4 host 63.86.112.248
access-list outside_access_in extended permit udp any4 host 162.95.80.115 eq isakmp
access-list outside_access_in extended permit tcp any4 host 162.95.80.115 object-group Ports_115
access-list outside_access_in extended permit udp any4 host 162.95.80.115 object-group Ports_2746_259
access-list outside_access_in extended permit object-group TCPUDP any4 host 63.86.112.245 object-group Service_Group_245 inactive
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.40 object-group UDP_TCP_Domain
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.40 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any4 object obj-192.168.129.11 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.129.11 object-group UDP_TCP_Domain
access-list outside_access_in extended permit tcp any4 object obj-192.168.129.11 object-group Network_Service_2703_6277
access-list outside_access_in extended permit udp any4 object obj-192.168.129.11 object-group UDP_443
access-list outside_access_in extended permit ip any4 host 192.168.101.75 inactive
access-list outside_access_in extended permit tcp any4 host 64.78.239.50 eq www
access-list outside_access_in extended permit tcp any4 host 64.78.239.54 object-group TCP_4445
access-list outside_access_in extended permit icmp any4 any4
access-list outside_access_in extended permit udp any4 object obj-192.168.35.40 object-group UDP_443
access-list outside_access_in extended permit tcp any4 host 63.86.112.204 object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit tcp any4 host 63.86.112.204
access-list outside_access_in extended permit udp any4 host 63.86.112.204
access-list outside_access_in extended permit object-group TCPUDP any4 host 192.168.102.12 object-group Network_Server_1194
access-list outside_access_in extended permit tcp any4 host 192.168.102.12 eq www
access-list outside_access_in extended permit tcp any4 host 192.168.102.12 eq https
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.41 object-group Network_Server_1194
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.12 eq www
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.12 object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any4 host 63.86.112.193 object-group Network_Service_TCP_1194
access-list outside_access_in extended deny tcp object Deny206.51.26.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny193.109.81.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny204.187.87.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny206.53.144.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny216.9.240.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny67.223.64.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny93.186.16.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny68.171.224.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny74.82.64.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny178.239.80.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny173.247.32.0 object obj-192.168.35.40 eq https
access-list vpn_dmz_access_in extended permit ip host 192.168.35.23 192.168.119.0 255.255.255.0
access-list vpn_dmz_access_in extended permit gre host 192.168.30.11 any4
access-list vpn_dmz_access_in extended permit tcp any4 host 23.0.214.60 eq https
access-list vpn_dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_28 any4
access-list vpn_dmz_access_in extended permit tcp any4 object obj-192.168.35.105 object-group DM_INLINE_TCP_4
access-list vpn_dmz_access_in extended permit esp any4 object obj-192.168.35.105
access-list vpn_dmz_access_in extended permit tcp any4 object obj-192.168.35.105
access-list vpn_dmz_access_in extended permit icmp any4 object obj-192.168.35.105
access-list vpn_dmz_access_in extended permit tcp any4 host 192.168.129.11
access-list vpn_dmz_access_in remark RDP
access-list vpn_dmz_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq 3389
access-list vpn_dmz_access_in extended permit icmp any4 object obj-192.168.35.23
access-list inside_nat0_outbound extended permit ip any4 192.168.119.0 255.255.255.0
access-list ftp-timeout extended permit tcp host 216.81.43.190 host 63.86.112.248
access-list ftp-timeout extended permit tcp host 63.86.112.248 host 216.81.43.190
access-list ftp-timeout extended permit tcp host 192.168.35.30 host 216.81.43.190
access-list ftp-timeout extended permit tcp host 216.81.43.190 host 192.168.35.30
access-list Split_Tunnel_List remark northwoods
access-list Split_Tunnel_List standard permit host 192.168.35.23
access-list Split_Tunnel_List remark paits2
access-list Split_Tunnel_List standard permit host 192.168.35.198
access-list Split_Tunnel_List standard deny 192.168.102.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list IS_Split_Tunnel standard permit 192.168.102.0 255.255.255.0
access-list IS_Split_Tunnel standard permit 192.168.82.0 255.255.255.0
access-list IS_Split_Tunnel standard permit 192.168.35.0 255.255.255.0

nat (inside,outside) source static object-192.168.35.0 object-192.168.35.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.82.0 obj-192.168.82.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.102.0 obj-192.168.102.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
!

webvpn
enable outside
enable inside
enable dmz
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect profiles pairemoteuser disk0:/pairemoteuser.xml
anyconnect enable
tunnel-group-list enable
group-policy PAIGroup internal
group-policy PAIGroup attributes
vpn-tunnel-protocol ssl-clientless
webvpn
  url-list value PAI
group-policy PAIUSERS internal
group-policy PAIUSERS attributes
wins-server value 192.168.35.57
dns-server value 192.168.35.57
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain none
webvpn
  anyconnect firewall-rule client-interface private value vpn_dmz_access_in
  anyconnect profiles value pairemoteuser type user
group-policy PAIIS internal
group-policy PAIIS attributes
wins-server value 192.168.35.57
dns-server value 192.168.35.57
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IS_Split_Tunnel
default-domain none
webvpn
  anyconnect firewall-rule client-interface private value vpn_dmz_access_in
  anyconnect profiles value pairemoteuser type user
group-policy DfltGrpPolicy attributes
banner value Welcome to PAI
wins-server value 192.168.35.57
dns-server value 192.168.35.57
address-pools value PAIUSERS
webvpn
  anyconnect firewall-rule client-interface public none
  anyconnect firewall-rule client-interface private value vpn_dmz_access_in
  anyconnect ask enable default anyconnect timeout 5
group-policy Anyconnect internal


: end

Labels:
0 Helpful
1 Reply 1

Michael Muenz
Level 5
Level 5

‎09-13-2013 01:13 AM

Check is the users fall into DfltGrpPolicy because it has no split tunneling active.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents