VPN Tip: How to Create VPN on ASA using Cisco Any Connect with Split-Tunnel:
AnyConnect VPN configurations with SPLIT-TUNNEL:
To make the concept and the working of the VPN I used the Cisco defined Image.
In this method the clients connected to the ASA through Cisco Any connect VPN can access the internal resources but will keep using own internet connection.
In this method the clients connected to the ASA through Cisco Any connect VPN can access the internal resources but will keep using own internet connection.
from router R ping 10.40.0.1 = success
Setup the lab IP and basic Firewall settings I have made another article > -------------
VPN Configurations on ASA :>
ciscoasa(config)#ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#enable outside
ciscoasa(config-webvpn)#anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
ciscoasa(config-webvpn)#tunnel-group-list enable
ciscoasa(config-webvpn)#anyconnect enable
ciscoasa(config)#access-list REMOTE standard permit 10.77.241.0 255.255.255.0
ciscoasa(config)#access-list REMOTE standard permit 192.168.10.0 255.255.255.0
ciscoasa(config)#group-policy clientgroup internal
ciscoasa(config)#group-policy clientgroup attributes
ciscoasa(config-group-policy)#vpn-tunnel-protocol ssl-client
ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)#split-tunnel-network-list value REMOTE
ciscoasa(config)#username Babar password cisco
ciscoasa(config)#tunnel-group sslgroup type remote-access
ciscoasa(config)#ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#enable outside
ciscoasa(config-webvpn)#anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
ciscoasa(config-webvpn)#tunnel-group-list enable
ciscoasa(config-webvpn)#anyconnect enable
ciscoasa(config)#access-list REMOTE standard permit 10.77.241.0 255.255.255.0
ciscoasa(config)#access-list REMOTE standard permit 192.168.10.0 255.255.255.0
ciscoasa(config)#group-policy clientgroup internal
ciscoasa(config)#group-policy clientgroup attributes
ciscoasa(config-group-policy)#vpn-tunnel-protocol ssl-client
ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)#split-tunnel-network-list value REMOTE
ciscoasa(config)#username Babar password cisco
ciscoasa(config)#tunnel-group sslgroup type remote-access
ciscoasa(config)#tunnel-group sslgroup general-attributes
ciscoasa(config-tunnel-general)#address-pool vpnpool
ciscoasa(config-tunnel-general)#default-group-policy clientgroup
ciscoasa(config-tunnel-general)#exit
ciscoasa(config)#tunnel-group sslgroup webvpn-attributes
ciscoasa(config-tunnel-webvpn)#group-alias sslgroup_users enable
Now try conecting to 10.0.50.1 on client using anyconnect and it should connect. But ping 192.168.1.2 from client will not work because we have not configured the NAT exception yet.
object network NET_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NET_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) source static NET_OBJ_192.168.1.0_24 NET_OBJ_192.168.1.0_24 destination static NET_OBJ_192.168.10.0_24 NET_OBJ_192.168.10.0_24
Now the VPN is fully UP and ping is working from both sides.
on client if we do tracert 192.168.1.2 reply is coming directly from the host through tunnel. and if we do tracert 10.0.30.1 reply is coming via clients own internet called split tunneling.
Note: I personally configured and tested this lab and its working and the ASA version is 9.5(2).
-------------------------------------------------The END----------------------------------------------------------
Nice Explanation
ReplyDelete