Cisco Easy VPN - Split Tunneling Issue 4

[JRosario78]

Hi All,

I configured a 2600 router as a firewall and Easy VPN Server. I can connect but I noticed that if I configure split tunneling, I cannot access other networks in the LAN. If I do not enable split tunneling, I can access the other networks but can not access the internet.

Can someone please help me with this issue?

Thanks!

 

[JRosario78]

Below is the running config of the router. Someone Please Help! Thanks!!

FWRTR#sh run
Building configuration...

Current configuration : 10580 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname FWRTR
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address 172.23.1.1
ip dhcp excluded-address 172.23.1.2
!
ip dhcp pool VPN-DHCP
import all
network 172.23.1.0 255.255.255.224
domain-name internal.com
default-router 172.23.1.1
dns-server ISP-DNS ISP-DNS
!
!
no ip domain lookup
ip domain name internal.com
ip name-server DNS-SERVER
ip name-server DNS-SERVER
!
!
!
crypto pki trustpoint TP-self-signed-1951171358
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1951171358
revocation-check none
rsakeypair TP-self-signed-1951171358
!
!
crypto pki certificate chain TP-self-signed-1951171358
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393531 31373133 3538301E 170D3038 30383230 31323539
35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39353131
37313335 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CDB4 ACD0C63F E6CF1C25 06EE267A 131FE90C 2230B387 9C1DB3D8 3B6F8CEC
CBCEBB7A 3753D5EC 7B6BD5F7 0C2F8BF6 EB709503 1A53D63F C62BD809 5F15B810
33439CC7 169758AD 7F2E4909 9481594B 64F69052 A282C5E3 45A80ABD 8FB9BB97
87C2AAF3 B0092122 62184116 4C4B81C5 A341DCF9 87E3E3D6 092D0E11 B0616A01
7CC50203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15484142 432D4657 5254522E 68616263 6E6A2E63 6F6D301F
0603551D 23041830 1680149F 27E88E58 2250C1F8 51433D38 F8394BCC 4F75AB30
1D060355 1D0E0416 04149F27 E88E5822 50C1F851 433D38F8 394BCC4F 75AB300D
06092A86 4886F70D 01010405 00038181 00409ACD 46DD4CAD 8EC8E5AD 02D01263
E0762F2B 50B5221F 591D1AC4 681F5E6F 9023030F 2CFB767E 78B1F26E 0C4D8BB2
15E706B9 46650713 385173E2 A38C5030 BFF95083 266C2468 EC851386 798391A2
701236BE 2FBF1582 E21CF29F 4B30B945 31F82CC8 EB6D4B17 BC6FADF1 A7B07C46
A862C659 AA08911F B63E05FE 61DFB99A 43
quit
username netadmin password 7
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key Pre-Shared-Key
dns DNS-SERVER DNS-SERVER
domain internal.com
pool SDM_POOL_1
acl 102
netmask 255.255.255.224
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address OUTSIDE-IP 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
keepalive 160
crypto map SDM_CMAP_1
!
interface FastEthernet1/0
description $ETH-LAN$$FW_INSIDE$
ip address 172.23.1.1 255.255.255.224
ip access-group 100 in
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
keepalive 120
!
ip local pool SDM_POOL_1 172.23.1.10 172.23.1.30
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ISP-GATEWAY
ip route 10.5.1.0 255.255.255.0 172.23.1.2
ip route 192.168.1.0 255.255.255.224 172.23.1.2
ip route 192.168.2.0 255.255.255.224 172.23.1.2
ip route 192.168.3.0 255.255.255.224 172.23.1.2
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.23.1.0 0.0.0.31
access-list 1 permit 10.5.1.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.31
access-list 1 permit 192.168.2.0 0.0.0.31
access-list 1 permit 192.168.3.0 0.0.0.31
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip ISP-ADDRESS 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 172.23.1.10 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.11 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.12 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.13 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.14 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.15 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.16 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.17 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.18 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.19 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.20 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.21 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.22 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.23 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.24 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.25 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.26 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.27 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.28 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.29 172.23.1.0 0.0.0.255
access-list 101 permit ip host 172.23.1.30 172.23.1.0 0.0.0.255
access-list 101 permit udp any host OUTSIDE-IP eq non500-isakmp
access-list 101 permit udp any host OUTSIDE-IP eq isakmp
access-list 101 permit esp any host OUTSIDE-IP
access-list 101 permit ahp any host OUTSIDE-IP
access-list 101 permit udp host ISP-DNS eq domain host OUTSIDE-IP
access-list 101 permit udp host ISP-DNS eq domain host OUTSIDE-IP
access-list 101 deny ip 172.23.1.0 0.0.0.31 any
access-list 101 permit icmp any host OUTSIDE-IP echo-reply
access-list 101 permit icmp any host OUTSIDE-IP time-exceeded
access-list 101 permit icmp any host OUTSIDE-IP unreachable
access-list 101 permit tcp any host OUTSIDE-IP eq 443
access-list 101 permit tcp any host OUTSIDE-IP eq 22
access-list 101 permit tcp any host OUTSIDE-IP eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 172.23.1.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.10
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.11
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.12
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.13
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.14
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.15
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.16
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.17
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.18
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.19
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.20
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.21
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.22
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.23
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.24
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.25
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.26
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.27
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.28
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.29
access-list 103 deny ip 172.23.1.0 0.0.0.255 host 172.23.1.30
access-list 103 permit ip 192.168.3.0 0.0.0.31 any
access-list 103 permit ip 192.168.2.0 0.0.0.31 any
access-list 103 permit ip 192.168.1.0 0.0.0.31 any
access-list 103 permit ip 10.5.1.0 0.0.0.255 any
access-list 103 permit ip 172.23.1.0 0.0.0.31 any
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
!
control-plane
!
!
!
banner login ^C
****************************** WARNING ******************************

Property of Some Business Network, LLC

Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

********************************************************************* ^C
!
line con 0
exec-timeout 60 0
logging synchronous
history size 100
line aux 0
line vty 0 4
exec-timeout 60 0
logging synchronous
history size 100
transport input telnet ssh
!
!
end

Thanks!!!

 

[Minue]

Hello
Please post a "show run" also are you using the Cisco VPN client?If so make sure that split tunneling is also enable on the client as well.
Regards

 

[JRosario78]

Hi Minue,

Thanks for your reply! Yes, I'm using the Cisco VPN Client software version 5.0.03.0560.

How do I enable split tunneling on the client?

Thanks again!

 

[Minue]

Hello
On the "Transparent" tab check the "Allow Local LAN Access".If this doesn't work you will have to make sure the router is configure for split tunneling as well,you can do this from the SDM configuration.

Regards

 

[JRosario78]

Thanks again for your reply. I confirmed that split tunneling is enabled on the router and tried your suggestion with the client software. I'm still not having any luck. It's like I can't have both.

With split tunneling enabled - No access to the networks on the 3550 switch but access to the internet.

With split tunneling disabled - I have access to the networks on the 3550 switch but no internet access.

Thanks!

 

[burtsbees]

no access-list 103
access-list 103 permit ip 172.23.1.0 0.0.0.7 any
access-list 103 permit ip host 172.23.1.8 any
access-list 103 permit ip host 172.23.1.9 any
access-list deny ip any 172.23.1.0 0.0.0.31
access-list permit ip 172.23.1.0 0.0.0.255 any

Try that.

Burt

 

[JRosario78]

Burt,

Thanks for your reply. With the config set to allow split tunneling, I put in the lines you provided. It did not take the last 2 lines but I still gave it a try. I went ahead and test. Below is what I received when I tried to ping the SVI with the address of 192.168.1.1. I'm not sure if I got a step closer. I'm not sure if it's somehow getting block at work. I will try again from home and post up.

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 172.30.5.1: TTL expired in transit.
Reply from 172.30.5.1: TTL expired in transit.
Reply from 172.30.5.1: TTL expired in transit.
Reply from 172.30.5.1: TTL expired in transit.

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

 

[burtsbees]

It did not take the last 2 lines but I still gave it a try."

Those are the most important---that excludes the vpn pool from being NATted and the rest of the subnet TO be NATted. What error do you get?

Burt

 

[JRosario78]

Below is the message that I get. I'm putting these lines in on the config with split tunneling enabled.

FWRTR#config t
Enter configuration commands, one per line. End with CNTL/Z.
FWRTR(config)#no access-list 103
FWRTR(config)#access-list 103 permit ip 172.23.1.0 0.0.0.7 any
FWRTR(config)#access-list 103 permit ip host 172.23.1.8 any
FWRTR(config)#access-list 103 permit ip host 172.23.1.9 any
FWRTR(config)#access-list deny ip any 172.23.1.0 0.0.0.31
^
% Invalid input detected at '^' marker.

FWRTR(config)#access-list permit ip 172.23.1.0 0.0.0.255 any
^
% Invalid input detected at '^' marker.

FWRTR(config)#

Thanks

 

[Minue]

Those lines should be:

access-list 103 deny ip any 172.23.1.0 0.0.0.31
access-list 103 permit ip 172.23.1.0 0.0.0.255 any


Regards

 

[JRosario78]

Minue,

Thanks for the correction. I tried and it still does not work. :-(

 

[Minue]

Have you tried taking out the spilt tunnel on the router and onl keeping "allow local lan access" on the VPN client.
Then from the VPN client choose the "Status"tab - "Statistics" and "Route details".You should see your local LAN on the left side.
Regards

 

[burtsbees]

Sorry---forgot the "103"...whoops...

Also, try this...


crypto isakmp client configuration group VPN
no acl 102
include-local-lan

Burt

 

[JRosario78]

Guys,

I still can't get it to work. I just want to be able to connect via VPN, access the networks off the 3550 switch, and be able to browse the web on my latop.

I thank you very much for your help and time.

 

[burtsbees]

Why do you have the dhcp pool in there? I would take that out---the VPN addresses are already defined by the ip pool blablabla---when a user connects via VPN, they get assigned an address from this pool. The dhcp pool may be offering a dhcp address and screwing things up.
Also, I have never split-tunneled in a cisco router, so I am not sure how you could do this...I will research it when I have time today...

Burt

 

[JRosario78]

Guys,

I'm still having issues with this. Could it be that some kind of ACL needs to be put in because the port on the switch that connects to the router is configured as a routed port?

Can this be setup that the internet traffice gets routed through the router so that I will not need split-tunneling? I understand that it will use up the bandwidth, but that's ok.

Thanks!!

 

[Minue]

Hello
Did you try the troubleshooting steps I posted in my last post.Please let me know.

"Have you tried taking out the spilt tunnel on the router and only keeping "allow local lan access" on the VPN client.
Then from the VPN client choose the "Status"tab - "Statistics" and "Route details".You should see your local LAN on the left side."
Regards

 

[Minue]

Hello
Try this command: "include-local-lan"
If it does save the day,I will have to start selling ice-creams instead of working with cisco routers.


Put it under the "crypto isakmp client configuration group VPN" config

Regards

 

[JRosario78]

No dice. It's like whatever I try, does not work.

I'm confused...