Configuring Split Tunneling on the ASA firewall for AnyConnect VPN Client

Posted: August 9, 2015 in CISCO

We’ll allow client from the internet to securely access corporate networks (172.16.3.0 and 30.30.30.0) from the internet while access to the internet (192.168.12.0) will be unsecured

Untitled

I used static routes this time:

ASA config:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 30.30.30.1 255.255.255.0
!

route outside 0.0.0.0 0.0.0.0 20.20.20.2 1
route inside 172.16.3.0 255.255.255.0 30.30.30.2 1

 R2:

interface FastEthernet0/0
ip address 30.30.30.2 255.255.255.0

!
interface FastEthernet0/1
ip address 172.16.3.1 255.255.255.0
!

ip route 0.0.0.0 0.0.0.0 30.30.30.1

 INTERNET :

interface FastEthernet0/0
ip address 10.10.10.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.12.2 255.255.255.0
!
interface FastEthernet1/0
ip address 20.20.20.2 255.255.255.0
 
!
ip route 0.0.0.0 0.0.0.0 20.20.20.1

I installed TFT server on 172.16.3.10 and uploaded ASDM-647.bin file which we will copy to ASA server in order to install ASDM appliance on XP and have GUI access to ASA configurations:

Also,I downloaded anyconnect-win-3.1.05178-k9.pkg and copied it to TFTP server

ciscoasa(config)#copy tftp://172.16.10.3/asdm-647.bin flash:/asdm.bin
ciscoasa(config)#copy tftp://172.16.3.10/anyconnect-win-3.1.05178-k9.pkg disk0: 
ciscoasa(config)#http server enable 
ciscoasa(config)#http 172.16.3.0 255.255.255.0 inside
!create pool for VPN clients 
ciscoasa(config)#ip local pool vpn_pool 192.168.1.1-192.168.1.3 mask 255.255.255.0
!allow traffic from 172.16.3.0 network to outside 
ciscoasa(config)#access-list inside_to_outside extended permit ip any 172.16.3.0 255.255.255.0
ciscoasa(config)#access-group inside_to_outside in interface outside
!define traffic which needs to be tunneled
ciscoasa(config)#access-list tunnel_traffic standard permit 30.30.30.0 255.255.255.0
ciscoasa(config)#access-list tunnel_traffic standard permit 172.16.3.0 255.255.255.0

From XP (172.16.3.10) enter https://30.30.30.1 in browser,download setup,install newest java and run app

Untitled

After connecting to ASA click wizard-VPN Wizard-AnyConnect VPN Wizard

Untitled

Type name for profile,choose outside and click next

Untitled

Uncheck IPsec (i didn’t use the digital certificate) and click next

Untitled
Click add,browse the disk and add package
Untitled

enter username and password for VPN user

Untitled

Add VPN pool we created earlier

Untitled

Add DNS server (i used google’s)

Untitled

Exclude VPN traffic from NAT

Untitled

Untitled

Click group policy on the left,select policy we’ve just created on the right (VPN) and click edit

Untitled

Uncheck check boxes besides policy and network list and select drop down menus as on the picture

(Tunnel traffic we defined earlier in access list)

Untitled

Untitled

I played a bit with NAT.Suppose we have one public IP address,if we want to translate inside address to this public address when traffic leaves the inside interace we would the type following commands:

ciscoasa(config)# object network vpn_server
ciscoasa(config-network-object)# host
ciscoasa(config-network-object)# host 20.20.20.5
ciscoasa(config-network-object)# nat (inside,outside) static vpn_server

On VPN client (10.10.10.10) install anyconnect-win-3.1.07021-pre-deploy-k9.msi and try to connect to 20.20.20.1 (outside ASA interface)

Untitled

Enter username/password when prompted

Untitled

try to ping hosts on 172.16.3.0 and 30.30.30.0 networks

Untitled

Observe translation table

ciscoasa(config-network-object)# sh xlate
5 in use, 5 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:0.0.0.0/0 to outside:0.0.0.0/0
flags sI idle 0:01:16 timeout 0:00:00
NAT from inside:30.30.30.0/24, 172.16.3.0/24 to outside:30.30.30.0/24,
172.16.3.0/24
flags sI idle 8:23:23 timeout 0:00:00
NAT from inside:30.30.30.0/24 to outside:20.20.20.5
flags s idle 5:41:39 timeout 0:00:00
NAT from inside:172.16.3.0/24 to outside:20.20.20.5
flags s idle 5:52:45 timeout 0:00:00

Traffic originated from the inside appears as if it comes from public address (20.20.20.5).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s