Connect with us

Hi, what are you looking for?

Internet

ASA/PIX: Allow split tunneling for VPN clients in ASA configuration example

ASA/PIX: Allow split tunneling for VPN clients in ASA configuration example

👨‍💻

This document provides step-by-step instructions on how to allow VPN clients to access the Internet while they are tunneled to a Cisco Adaptive Security Appliance (ASA) 5500 Series Security Appliance device. This configuration allows VPN clients to securely access corporate resources over IPsec while granting unsecured access to the Internet.

Noticeable: Full tunneling is the most secure configuration because it does not allow the device to have simultaneous access to both the Internet and the company’s local network. The compromise between full tunneling and split tunneling allows VPN clients to access only the local LAN. See PIX/ASA 7.x: Example of Allowing Local LAN Access to VPN Clients for more information.

requirements

This document assumes that the remote access VPN configuration is already on the ASA. See PIX/ASA 7.x as a remote VPN server using the ASDM configuration example if one is not already configured.

Ingredients used

The information in this document is based on the following software and hardware versions:

Noticeable: This document also contains the PIX 6.x CLI configuration that is compatible with the Cisco VPN 3.x client.

The information in this document was generated from devices in a specific laboratory environment. All devices used in this document started with a cleared (default) configuration. If your network is active, make sure you understand the potential impact of any command.

network diagram

The VPN client is located on a typical SOHO network and connects over the Internet to the head office.

Related Products

This configuration can also be used with Cisco PIX 500 Series Security Appliance Software version 7.x.

conventions

See the Cisco Technical Guidelines Conventions for more information about document conventions.

In a basic VPN client to ASA scenario, all traffic from the VPN client is encrypted and sent to the ASA regardless of its destination. Depending on your configuration and the number of supported users, such a setup can become bandwidth intensive. Split tunneling can work to mitigate this problem because it allows users to send only that traffic destined for the corporate network through the tunnel. All other traffic like instant messages, email, or normal browsing is sent to the internet via the VPN client’s local LAN.

Configure ASA 7.x with Adaptive Security Device Manager (ASDM) 5.x

Complete these steps to configure your tunnel group to allow splitting of tunnels for users in the group.

  1. Choose Configuration > VPN > General > Group Policy And select Group Policy in which you want to enable local LAN access. Then click Modification.

  2. Go to the “Client Configuration” tab.

  3. Deselect a file inherit Square for split tunnel policy and selection Tunnel network list below.

  4. Deselect a file inherit Then click on the Split Tunnel Network List box Manages In order to run ACL Manager.

  5. Under ACL Management, choose Add > Add ACL… In order to create a new access list.

  6. Enter a name for the ACL and click on it OK.

  7. Once the ACL is created, choose Add > Add ACE… In order to add an access control entry (ACE).

  8. Select the ACE that corresponds to the LAN behind the ASA. In this case, the network is 10.0.1.0/24.

    1. Choose Allow.

    2. Choose the IP address of 10.0.1.0

    3. Choose a network mask from 255.255.255.0.

    4. (my choice) Provide a description.

    5. click OK.

  9. click OK In order to exit the management of the ACL.

  10. Make sure you select the ACL you just created for the Split Tunnel Network List.

  11. click OK In order to return to the Group Policy configuration.

  12. click Progressing and then send (if necessary) in order to send commands to the ASA.

Configure ASA 8.x with Adaptive Security Device Manager (ASDM) 6.x

Complete these steps to configure your tunnel group to allow splitting of tunnels for users in the group.

  1. Choose Configuration > VPN Remote Access > Network (client) access > Group Policies, and choose Group Policy in which you want to enable local LAN access. then press Modification.

  2. click split tunneling.

  3. Deselect a file inherit box for Split Tunnel Policy, and choose Tunnel network list below.

  4. Deselect a file inherit Split Tunnel Network List box, then tap Manages In order to run ACL Manager.

  5. Under ACL Management, choose Add > Add ACL… In order to create a new access list.

  6. Enter a name for the ACL, and click OK.

  7. Once the ACL is created, choose Add > Add ACE… In order to add an access control entry (ACE).

  8. Select the ACE that corresponds to the LAN behind the ASA. In this case, the network is 10.0.1.0/24.

    1. tap on Allow radio button.

    2. Choose the network address with the mask 10.0.1.0/24 .

    3. (Optional) Provide a description.

    4. click OK.

  9. click OK In order to exit the management of the ACL.

  10. Make sure you select the ACL you just created for the Split Tunnel Network List.

  11. click OK In order to return to the Group Policy configuration.

  12. click Progressing and then send (if necessary) in order to send commands to the ASA.

Configure ASA 7.x and later via CLI

Instead of using ASDM, you can complete these steps in the ASA CLI to allow split tunneling on the ASA:

Noticeable: The configuration of CLI Split Tunneling is the same for ASA 7.x and 8.x.

  1. Enter configuration mode.

    Ciscosa>maybe
    Password: ******** ciscoasa#station configuration
    ciscosa (config) #

  2. Create an access list that identifies the network behind the ASA.

    ciscosa (config) #Split_Tunnel_List Access List The company network behind ASA.
    ciscosa (config) #Standard Access Permit Split_Tunnel_List 10.0.1.0 255.255.255.0

  3. Enter the Group Policy configuration mode for the policy you want to modify.

    ciscosa (config) #hillvalleyvpn attributes group policy
    ciscoasa (config-group-policy) #

  4. Select the split-tunnel policy. In this case the policy is tunnels.

    ciscoasa (config-group-policy) #Specific split tunneling tunnels

  5. Select the split tunnel access menu. In this case, the list is Split_Tunnel_List.

    ciscoasa (config-group-policy) #Split_Tunnel_List value

  6. issued this order:

    ciscosa (config) #General characteristics of the tunnel group hillvalleyvpn

  7. Associate a Group Policy with a Tunnel Group

    syskosa (config-tunnel-ipsec) # hillvalleyvpn . default group policy

  8. Exit configuration mode.

    ciscoasa (config-group-policy) #Exit
    ciscosa (config) #Exit
    ciscosa #

  9. Save the configuration to Non-Volatile Random Access Memory (NVRAM) and press Enters When you are prompted to specify the name of the source file.

    ciscosa #Copy run config startup-config

    Source file name [running-config]? Cryptochecksum: 93bb3217 0f60bfa4 c36bbb29 75cf714a 3847 bytes copied in 3.470 seconds (1282 bytes/s) ciscoasa#

Configure PIX 6.x through the Command Line Interface (CLI)

Complete these steps:

  1. Create an access list that identifies the network behind PIX.

    PIX (config) # Split_Tunnel_List Access List Standard Permit 10.0.1.0 255.255.255.0

  2. Create a vpn group vpn3000 And define the tunnel split ACL to it as shown:

    pix (config) #vpngroup vpn3000 Split_Tunnel_List

    Noticeable: See Cisco Secure PIX Firewall 6.x and Cisco VPN Client 3.5 for Windows with Microsoft Windows 2000 and 2003 IAS RADIUS Authentication for more information about configuring a remote access VPN for PIX 6.x.

Follow the steps in these sections to verify your configuration.

Connect with a VPN client

Connect your VPN client to VPN Concentrator in order to verify your configuration.

  1. Choose your contact entry from the list and click Connection.

  2. Enter your credentials.

  3. Choose Status > stats… Displays the Tunnel Details window where you can check the tunnel details and see the traffic flow.

  4. Go to the Route Details tab to see the routes that the VPN client secures to ASA.

    In this example, the VPN client is locking access to 10.0.1.0/24 while all other traffic is not encrypted nor sent through the tunnel.

View VPN Client History

When examining the VPN client log, you can determine whether the parameter specifying split tunneling is set or not. To view the history, go to the History tab in the VPN client. Then click log settings In order to control what is being recorded. In this example, IKE is set to 3 – high While all other registry items are set to 1 – low.

Cisco Systems VPN Client Version 4.0.5 (Rel) Copyright (C) 1998-2003 Cisco Systems, Inc. all rights are save. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 2 1 14:20: 09.532 07/27/06 Sev = Info/6 IKE/0x6300003B Attempting to establish a connection to 172.22.1.160.


! —Output is suppressed

18 14:20:14.188 07/27/06 Sev = Info/5 IKE/0x6300005D The client sends a firewall request to the hub 19 14:20:14.188 07/27/06 Sev = Info/5 IKE/0x6300005C Firewall Policy: Product = Cisco Systems Integrated Client, Capability = (Central Protection Policy). 20 14:20:14.188 07/27/06 Sev = info / 5 IKE / 0x6300005C Firewall Policy: Product = Cisco Intrusion Prevention Security Agent, Capacity = (Are you there?). 21 14:20:14.208 07/27/06 Sev = info/4 IKE/0x63000013 Send >>> ISAKMP OAK TRANS * (HASH, ATTR) to 172.22.1.160 22 14:20:14.208 07/27/06 Sev = info / 5 IKE / 0x6300002F ISAKMP packet received: Peer = 172.22.1.160 23 14:20: 14.208 07/27/06 Sev = info / 4 IKE / 0x63000014 received <<< ISAKMP OAK TRANS * (HASH, ATTR) from 172.22.1.160 24 14:20:14.208 07/27/06 Sev = info/5 IKE/0x63000010 MODE_CFG_REPLY: attribute = INTERNAL_IPV4_ADDRESS: , value = 10.0.1.50 25 14:20: 14.208 07/27/06 Sev = Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , Value = 255.255.255.0 26 14: 20: 14.208 07/27/06 Sev = Info/5 IKE/0x6300000D MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEP000027 WD: 27, Value = 20 / 07 info/5 IKE/0x6300000D MODE_CFG_REPLY: attribute = MODECFG_UNITY_PFS:, value = 0x00000000 28 14:20: 14.208 07/27/06 Sev = Info/5 IKE/0x6300000E MODE_CFG_REPLY: attribute = APPLICATION_VERSA5510, value = 7.2 Inc version (1) who was created e by root on Wed May 31 06 14:45
! — Split tunneling is allowed and remote LAN is selected.

29 14:20:14.238 07/27/06 Sev = info/5 IKE/0x6300000D MODE_CFG_REPLY: attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001 30 14:20: 14.238 07/27/06 Sev = Info/5 IKE /0x6300000F SPLIT_NET #1 subnet = 10.0.1.0 mask = 255.255.255.0 protocol = 0 src port = 0 dest port = 0

! — The output is suppressed.

Test local LAN access with Ping

An additional way to test the VPN client configuration for split tunneling during tunneling to ASA is to use ping command on the Windows command line. The VPN client’s local LAN is 192.168.0.0/24 and another host is on the network with IP address 192.168.0.3.

C: >ping 192.168.0.3
Pinging 192.168.0.3 with 32 bytes of data: Reply from 192.168.0.3: Byte = 32 times < 1 ms TTL = 255 Reply from 192.168.0.3: Bytes = 32 times < 1 ms TTL = 255 Reply from 192.168.0.3: Byte = 32 times < 1ms TTL = 255 Reply from 192.168.0.3: Byte = 32 times < 1ms TTL = 255 Ping stats for 192.168.0.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss) , approximate round trip times in milliseconds: minimum = 0 milliseconds, maximum = 0 milliseconds, average = 0 milliseconds

[ad_1]
Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related

Internet

AnyConnect: Install a self-signed certificate as a trusted source 👨‍💻 kmgmt-2879-cbs-220-config-security-port objective The goal of this article is to walk you through creating and...

Internet

Top 5 Free AV Packages – 👌 Bitdefender Antivirus Free Edition best interface Positives Works on Windows 7 and 8.1 Very easy to use...

Internet

Download antivirus for free. Best antivirus protection 👨‍💻 Protecting your identity, banking information and privacy Cybercriminals want your credit card details, passwords and other...

Internet

Is free antivirus enough for my computer? 👨‍💻 At first glance, a free antivirus may seem like a tempting option. After all, why should...