Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Split-Tunnel not working

Status
Not open for further replies.
eseabrook2008

eseabrook2008

Technical User
Jan 9, 2008
74
CA
I'm new to PIX (and job) and need to solve an issue with our PIX. As far as I know, split-tunneling is setup but it is not working. When clients VPN in (using windows client), they can access the internet but not the network. If you check off "use default gateway on remote network" then you can access the network but not the internet. Below is the PIX config. Can anyone give me a hand. I've looked high and low and from what I've read, everything should be setup. I tried using a batch file to enter a static route on the laptop but I need to enter the IF and it changes everytime I connect to the VPN.

PIX Version 7.2(2)
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.0.0
ospf cost 10
!
passwd iGGOjJAX0QuZN9ot encrypted
boot system flash:/pix722.bin
boot system flash:/image.bin
no ftp mode passive
clock timezone CST -6
dns server-group DefaultDNS
domain-name somewhere.COM
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip any 192.168.0.0 255.255.255.192
access-list saskatoon extended permit ip 172.16.0.0 255.255.0.0 192.169.253.0 255.255.255.0
access-list acl_out extended permit tcp any interface outside eq smtp
access-list acl_out extended permit tcp any interface outside range ftp-data ftp inactive
access-list acl_out extended permit tcp any interface outside eq www
access-list acl_out extended permit tcp any interface outside eq https
access-list acl_out extended permit udp any host 204.83.200.72 eq 1701
access-list acl_out extended permit gre any host 204.83.200.72
access-list acl_in extended deny tcp any any eq 136
access-list acl_in extended deny tcp any any eq 137
access-list acl_in extended deny tcp any any eq 138
access-list acl_in extended deny tcp any any eq netbios-ssn
access-list acl_in extended deny udp any any eq 136
access-list acl_in extended deny udp any any eq netbios-ns
access-list acl_in extended deny udp any any eq netbios-dgm
access-list acl_in extended deny udp any any eq 139
access-list acl_in extended permit ip any any
access-list acl_in extended permit icmp any any
access-list test extended permit ip any any
access-list capin extended permit ip host 172.16.100.126 host 172.16.0.1
access-list capin extended permit ip host 172.16.0.1 host 172.16.100.126
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list cap_in extended permit ip host 172.16.100.126 any
access-list split standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 40000
logging monitor informational
logging trap debugging
logging history warnings
logging asdm errors
logging facility 23
logging host inside 172.16.0.98 17/1468
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 10.10.10.1-10.10.10.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.0.0 255.255.0.0
static (inside,outside) tcp interface smtp Email_Firewall smtp netmask 255.255.255.255
static (inside,outside) tcp interface 255.255.255.255
static (inside,outside) tcp interface https 172.16.0.96 https netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 204.83.200.254 1
timeout xlate 1:00:00
timeout conn 0:10:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server ActiveDirectory protocol radius
aaa-server ActiveDirectory host 172.16.0.98
timeout 5
key smiradsecret
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 172.16.0.98 172.16.0.96
dns-server value 172.16.0.98 172.16.0.96
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value somewhere.COM
group-policy DfltGrpPolicy attributes
banner none
wins-server value 172.16.0.98 172.16.0.96
dns-server value 172.16.0.98 172.16.0.96
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain none
split-dns none
intercept-dhcp enable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
group-policy vpn internal
group-policy vpn attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
username somewhere_vpn password ZfsPqnEvQQSkO5RLLlMdcg== nt-encrypted
username cisco123 password U4DJrEXzXuJDX32C encrypted privilege 15
username cisco password pr/0i/BvQ65/uQPOewDuog== nt-encrypted privilege 15
username cisco attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol l2tp-ipsec
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
authentication-server-group ActiveDirectory LOCAL
authorization-server-group LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp strict
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
!
service-policy global_policy global
ntp server 142.3.100.2 source outside prefer
ntp server 142.3.100.15 source outside
prompt hostname context
Cryptochecksum:f8166a1052e288061ee0e688710bda13
: end
asdm image flash:/asdm-522.bin
asdm history enable
 
Sort by date Sort by votes

Looks like you need to add your ip pool to your split tunnel policy. Hope that helps

cheers


access-list split standard permit 10.10.10.0 255.255.255.0
 
Upvote 0 Downvote
Since you're using the Windows client, it looks like you're using lt2p over Ipsec. Have you tried connecting with the Cisco VPN Client, which just uses Ipsec?

My suspicion is that split tunneling is only supported when you're doing straight Ipsec.

Matt
CCIE Security
 
Upvote 0 Downvote
I've tried using the Cisco VPN Client but I don't the client or the PIX are setup properly becuase it always fails to connect saying:

VPN Connection terminated locally by the Client.
An unrecognized error occured while establishing the VPN connection.

Is there something we need to setup on the PIX to allow the Cisco client?
 
Upvote 0 Downvote
Ok, so I went through the wizard and setup a VPN for Cisco clients. No change (I still get the same error on the cisco client when I try and use it).
 
Upvote 0 Downvote
What tunnel group are you using in the client? The "Name" in the Connection Entry in the VPN Client corresponds to the tunnel group in the ASA config. In your above config I only see the default and I don't think that the client can leverage that.

Here's a basic doc on RA VPN on the ASA:

Here's a basic split tunnel doc while we're at it:

Here's a broad VPN Troubleshooting doc as well:

Matt
CCIE Security
 
Upvote 0 Downvote
Ok, I re-ran through the Wizard and can now get the client to get to the point of asking for a username/password. Problem is, I've set the PIX to look to AD for the account but when I type the info in as username & password, it doesn't work (I even tried domamin/username & password with no luck). So, I created a user in the local database but it doesn't work either. Below is the current config. I'm using the testvpn Group.

PIX Version 7.2(2)
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.0.0
ospf cost 10
!
passwd iGGOjJAX0QuZN9ot encrypted
boot system flash:/pix722.bin
boot system flash:/image.bin
no ftp mode passive
clock timezone CST -6
dns server-group DefaultDNS
domain-name SOMEWHERE.COM
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip any 192.168.0.0 255.255.255.192
access-list nonat extended permit ip any 10.10.10.0 255.255.255.0
access-list saskatoon extended permit ip 172.16.0.0 255.255.0.0 192.169.253.0 255.255.255.0
access-list acl_out extended permit tcp any interface outside eq smtp
access-list acl_out extended permit tcp any interface outside range ftp-data ftp inactive
access-list acl_out extended permit tcp any interface outside eq www
access-list acl_out extended permit tcp any interface outside eq https
access-list acl_out extended permit udp any host xxx.xxx.xxx.xxxeq 1701
access-list acl_out extended permit gre any host xxx.xxx.xxx.xxx
access-list acl_in extended deny tcp any any eq 136
access-list acl_in extended deny tcp any any eq 137
access-list acl_in extended deny tcp any any eq 138
access-list acl_in extended deny tcp any any eq netbios-ssn
access-list acl_in extended deny udp any any eq 136
access-list acl_in extended deny udp any any eq netbios-ns
access-list acl_in extended deny udp any any eq netbios-dgm
access-list acl_in extended deny udp any any eq 139
access-list acl_in extended permit ip any any
access-list acl_in extended permit icmp any any
access-list test extended permit ip any any
access-list capin extended permit ip host 172.16.100.126 host 172.16.0.1
access-list capin extended permit ip host 172.16.0.1 host 172.16.100.126
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list cap_in extended permit ip host 172.16.100.126 any
access-list split standard permit 172.16.0.0 255.255.0.0
access-list testvpn_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging timestamp
logging buffer-size 40000
logging monitor informational
logging trap debugging
logging history warnings
logging asdm errors
logging facility 23
logging host inside 172.16.0.98 17/1468
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 10.10.10.1-10.10.10.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.0.0 255.255.0.0
static (inside,outside) tcp interface smtp Email_Firewall smtp netmask 255.255.255.255
static (inside,outside) tcp interface 255.255.255.255
static (inside,outside) tcp interface https 172.16.0.96 https netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 204.83.200.254 1
timeout xlate 1:00:00
timeout conn 0:10:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server ActiveDirectory protocol radius
aaa-server ActiveDirectory host 172.16.0.98
timeout 5
key smiradsecret
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 172.16.0.98 172.16.0.96
dns-server value 172.16.0.98 172.16.0.96
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value SOMEWHERE.COM
group-policy testvpn internal
group-policy testvpn attributes
wins-server value 172.16.0.98 172.16.0.96
dns-server value 172.16.0.98 172.16.0.96
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testvpn_splitTunnelAcl
default-domain value SOMEWHERE.COM
group-policy DfltGrpPolicy attributes
banner none
wins-server value 172.16.0.98 172.16.0.96
dns-server value 172.16.0.98 172.16.0.96
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain none
split-dns none
intercept-dhcp enable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-proxy
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value VPNPool
client-firewall none
client-access-rule none
group-policy vpn internal
group-policy vpn attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
username bbbbb_vpn password ZfsPqnEvQQSkO5RLLlMdcg== nt-encrypted
username aaaaa123 password U4DJrEXzXuJDX32C encrypted privilege 15
username aaaaa password pr/0i/BvQ65/uQPOewDuog== nt-encrypted privilege 15
username aaaaa attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol IPSec l2tp-ipsec
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
authentication-server-group ActiveDirectory LOCAL
authorization-server-group LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
tunnel-group testvpn type ipsec-ra
tunnel-group testvpn general-attributes
address-pool VPNPool
authentication-server-group ActiveDirectory
default-group-policy testvpn
tunnel-group testvpn ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp strict
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
!
service-policy global_policy global
ntp server 142.3.100.2 source outside prefer
ntp server 142.3.100.15 source outside
prompt hostname context
Cryptochecksum:f5ec864792c17d3d8241a7705aaf8e91
: end
asdm image flash:/asdm-522.bin
asdm history enable
 
Upvote 0 Downvote
Nevermind, hadn't had my coffee yet this morning!

I tested it and something must not be setup correctly as it returns Invalid password for every account.
 
Upvote 0 Downvote
It says Debug commands are not available in CLI windows. However, this is posted in the event log for the server for the failure.

User administrator was denied access.
Fully-Qualified-User-Name = somewhere.COM\Users\jblow
NAS-IP-Address = 172.16.0.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = 172.16.0.1
Client-IP-Address = 172.16.0.1
NAS-Port-Type = <not present>
NAS-Port = 5
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.

When I tried with the windows client, it connect and this was entered into the server's event log

User Administrator was granted access.
Fully-Qualified-User-Name = somewhere.com/Users/jblow
NAS-IP-Address = 172.16.0.1
NAS-Identifier = <not present>
Client-Friendly-Name = 172.16.0.1
Client-IP-Address = 172.16.0.1
Calling-Station-Identifier = <not present>
NAS-Port-Type = <not present>
NAS-Port = 136
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Allow access if dial-in permission is enabled
Authentication-Type = MS-CHAPv1
EAP-Type = <undetermined>
 
Upvote 0 Downvote
These lines in your config mean you are using RADIUS.

aaa-server ActiveDirectory protocol radius
aaa-server ActiveDirectory host 172.16.0.98
timeout 5
key smiradsecret

tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
authentication-server-group ActiveDirectory LOCAL


If you have a windows 2003 server you will have to make sure you set up IAS for RADIUS. Please see the following doc:





 
Upvote 0 Downvote
OKAY! The policy in IAS was set to not allow anyone access EVER. Now that that is straightened out, it is authenticating when testing on the PIX, but, I get a "General Error while processing Browser Proxy Configuration" error on the client.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
90
disturbedone
disturbedone
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
102
Russtoleum
Russtoleum
steve56k
  • Locked
  • Question
VPN Tunnel will not start
Replies
0
Views
62
steve56k
steve56k
Russtoleum
  • Locked
  • Question
custom VPN Tunnel not appearing when trying to add route
Replies
1
Views
93
jcarmichael1203
jcarmichael1203
steve56k
  • Locked
  • Question
Number of connections for VPN tunnel
Replies
0
Views
57
steve56k
steve56k

Part and Inventory Search

Sponsor

Back
Top