ASA split tunnel problems

Discussion in 'Cisco' started by RJ45, Mar 19, 2008.

  1. RJ45

    RJ45 Guest

    hello, I have the following configuration

    Internet---- 131.153.x.222 outside[ASA 5505]inside 192.168.1.1---

    my inside network is 192.168.1.0/24

    I configured ASA 5505 to nat internal clients to outside
    and I configured VPN IPsec access from internet.
    VPN clients get and ip address range 192.168.1.200-192.168.1.210
    and I configred a split tunnel so that only packets to
    destination 192.168.1.0/24
    is tunneled all the rest from the client VPN is not tunneled.

    in this way users can access 192.168.1.0/24 network via VPN client
    and all the internet in an unencryted way outside VPN (splut tunnel).

    But this is not what I want.
    I would like all users connected with VPN client which have been
    assigned a 192.168.1.200-192.168.1.210 range ip to go to the
    outside world using hte ASA as gateway. I do not want to use split
    tunnel.
    I would like an hairpinning configuration.
    So that users authenticated with ASA VPN could both reach
    inside network 192.168.1.0/24 and also internet being always
    into the VPN and not using split tunnel.

    I am not able to achieve this.
    if I use

    split-tunnel-policy tunnelall

    and also

    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface

    nothing works anymore, clients connected in VPN can authenticate
    but cannot go on internet and cannot contact remote LAN 192.168.1.0/24
    even if they are assigned to an IP address to that subnet.
    I would like clients both to go on internet and to reach subnet
    192.168.1.0/24 but being connected to the ASA 131.153.x.222 in VPN

    is there a way to do so ?

    I could not find any help abut this nowhere

    thank you in advance

    RJ45
    RJ45, Mar 19, 2008
    #1
    1. Advertising

  2. RJ45

    Merv Guest


    > I would like an hairpinning configuration.
    > So that users authenticated with ASA VPN could both reach
    > inside network 192.168.1.0/24 and also internet being always
    > into the VPN and not using split tunnel.




    see Cisco doc "PIX/ASA 7.x and VPN Client for Public Internet VPN on
    a Stick Configuration Example"

    http://www.cisco.com/en/US/products...s_configuration_example09186a00805734ae.shtml



    try using a VPN address pool that is not used in your internal
    network to see if that makes any difference


    ip local pool VPNPOOL 192.168.2.1-192.168.2.254


    same-security-traffic permit intra-interface

    nat(outside) 1 192.168.2.0 255.255.255.0
    global(outside) 1 <external ip>
    Merv, Mar 22, 2008
    #2
    1. Advertising

  3. RJ45

    RJ45 Guest

    Hello,
    actually I followed that document before writing to the newsgroup,
    but the example does not work.
    I assigned a different network to the vpn clients, but it simply does
    not work. I could not make it work unless in split-tunnel mode

    thanks

    Rick

    On 2008-03-22, Merv <> wrote:
    >
    >> I would like an hairpinning configuration.
    >> So that users authenticated with ASA VPN could both reach
    >> inside network 192.168.1.0/24 and also internet being always
    >> into the VPN and not using split tunnel.

    >
    >
    >
    > see Cisco doc "PIX/ASA 7.x and VPN Client for Public Internet VPN on
    > a Stick Configuration Example"
    >
    > http://www.cisco.com/en/US/products...s_configuration_example09186a00805734ae.shtml
    >
    >
    >
    > try using a VPN address pool that is not used in your internal
    > network to see if that makes any difference
    >
    >
    > ip local pool VPNPOOL 192.168.2.1-192.168.2.254
    >
    >
    > same-security-traffic permit intra-interface
    >
    > nat(outside) 1 192.168.2.0 255.255.255.0
    > global(outside) 1 <external ip>
    >
    >
    >
    >
    RJ45, Mar 26, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. michael

    PPTP split-tunnel

    michael, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    3,973
  2. someone

    Split-tunnel on Pix

    someone, Dec 5, 2003, in forum: Cisco
    Replies:
    8
    Views:
    1,825
    Michael Gorsuch
    Dec 9, 2003
  3. Greg
    Replies:
    3
    Views:
    429
  4. a.nonny mouse
    Replies:
    2
    Views:
    1,074
  5. Dumbell

    a split is not a split

    Dumbell, Mar 9, 2009, in forum: Computer Support
    Replies:
    3
    Views:
    478
    Keyser Söze
    Mar 9, 2009
Loading...

Share This Page