Cisco Split-tunnel VPN config help
October 2, 2012 7:11 AM Subscribe
Split-tunnel help! How to limit my Cisco VPN clients to connect to a single server (via DNS) while at the same time allowing them Internet access to Google Maps?
A mobile app on a server on our internal network requires users in the field to have VPN access to it. The same app makes a call to Google Maps to display location data. My config writing skills using split tunnels are lacking because I can either get the VPN access to the server via IP address (but not DNS) AND Google Maps to work, or internal DNS resolution works (to get to the server), but Internet (Google Maps) fails.
Any Cisco config masters out there? This is on a ASA5510, software v. 8.2
Relevant lines:
access-list our_TunnelAcl standard permit 172.20.30.0 255.255.255.0
ip local pool ourvpnusers 172.20.82.1-172.20.82.254 mask 255.255.255.0
group-policy OURVPNGroupPolicy1 internal
group-policy OURVPNGroupPolicy1 attributes
dns-server value 172.20.30.248 172.20.30.230
vpn-access-hours value Work
vpn-filter value outside_cryptomap_1
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value our_TunnelAcl
address-pools value ourvpnusers
username ourMSOaUser1 password jdfkdfkfdf encrypted privilege 0
username ourMSOaUser1 attributes
vpn-group-policy OURVPNGroupPolicy1
vpn-access-hours value Work
group-lock value OURVPNTunnelGroup1
service-type remote-access
tunnel-group OURVPNTunnelGroup1 type remote-access
tunnel-group OURVPNTunnelGroup1 general-attributes
address-pool ourvpnusers
default-group-policy OURVPNGroupPolicy1
tunnel-group OURVPNTunnelGroup1 ipsec-attributes
pre-shared-key *
Using these lines with the tunnel acl, Internet works, but local DNS resolution fails (I can only access the internal server by IP address). If I remove these 2 lines:
split-tunnel-policy tunnelspecified
split-tunnel-network-list value our_TunnelAcl
then Internet does not work, but local DNS resolution works great (at least to their server).
Any ideas
A mobile app on a server on our internal network requires users in the field to have VPN access to it. The same app makes a call to Google Maps to display location data. My config writing skills using split tunnels are lacking because I can either get the VPN access to the server via IP address (but not DNS) AND Google Maps to work, or internal DNS resolution works (to get to the server), but Internet (Google Maps) fails.
Any Cisco config masters out there? This is on a ASA5510, software v. 8.2
Relevant lines:
access-list our_TunnelAcl standard permit 172.20.30.0 255.255.255.0
ip local pool ourvpnusers 172.20.82.1-172.20.82.254 mask 255.255.255.0
group-policy OURVPNGroupPolicy1 internal
group-policy OURVPNGroupPolicy1 attributes
dns-server value 172.20.30.248 172.20.30.230
vpn-access-hours value Work
vpn-filter value outside_cryptomap_1
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value our_TunnelAcl
address-pools value ourvpnusers
username ourMSOaUser1 password jdfkdfkfdf encrypted privilege 0
username ourMSOaUser1 attributes
vpn-group-policy OURVPNGroupPolicy1
vpn-access-hours value Work
group-lock value OURVPNTunnelGroup1
service-type remote-access
tunnel-group OURVPNTunnelGroup1 type remote-access
tunnel-group OURVPNTunnelGroup1 general-attributes
address-pool ourvpnusers
default-group-policy OURVPNGroupPolicy1
tunnel-group OURVPNTunnelGroup1 ipsec-attributes
pre-shared-key *
Using these lines with the tunnel acl, Internet works, but local DNS resolution fails (I can only access the internal server by IP address). If I remove these 2 lines:
split-tunnel-policy tunnelspecified
split-tunnel-network-list value our_TunnelAcl
then Internet does not work, but local DNS resolution works great (at least to their server).
Any ideas
Response by poster: I have "same-security-traffic permit inter-interface"... I'm not familiar with the "intra" option. Would I use both?
posted by bellastarr at 11:48 AM on October 2, 2012
posted by bellastarr at 11:48 AM on October 2, 2012
Yep. Inter-interface is between interfaces of the same security level - say in g0/1 and out g0/2. Intra-interface allows traffic to be sent and received on the same interface - In on g0/1 and out on g0/1.
posted by anti social order at 1:41 PM on October 2, 2012
posted by anti social order at 1:41 PM on October 2, 2012
This thread is closed to new comments.
1) security best practice is to always disable split tunneling so that no one can use your remote users to proxy into (or out of!) your network.
2) leave the 2 split tunnel lines out for now, add support for hair-pinning with "same-security-traffic permit intra-interface". By default you can't route traffic out the same interface it came in on, which is what you're trying to do with the VPN clients (traffic in on the tunnel, then out to the web on the same physical interface).
Cisco forums have lots of posts on this config issue because cisco commands are awkward like a jr high dance, but there's some good reading in that link that might help the pieces click.
posted by anti social order at 7:33 AM on October 2, 2012