You are right Tyson I was not reading that much into it.. On Tue, Oct 5, 2010 at 9:10 AM, Tyson Scott <[email protected]> wrote:
> It is adding the classful mask as the route. With IOS there is the > netmask option to stop this behavior in the client configuration group > > > > Try adding it to your address pool > > > > ip local pool addr7 20.10.30.40-20.10.30.43 mask 255.255.255.0 > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, October 05, 2010 10:03 AM > *To:* Sidney Spencer > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] VPN client issue > > > > What difference does it makes when you use standard or extended? I tried > putting standard acl and still see the same issue. > > I am aware of the basics that the split tunneling controls the route > installation. Lets come out of the basics and look, if there is any other > reason for this behavior. > > Here you go, the config.... > > > > > > ip local pool addr7 20.10.30.40-20.10.30.43 > access-list split extended permit ip 20.10.30.0 255.255.255.0 any > > group-policy king internal > > > group-policy king attributes > vpn-tunnel-protocol IPSec > split-tunnel-policy tunnelspecified > split-tunnel-network-list value split > address-pools value addr7 > > username cisco password 3USUcOPFUiMCO4Jk encrypted > > tunnel-group king type remote-access > tunnel-group king general-attributes > address-pool addr2 > default-group-policy king > tunnel-group king ipsec-attributes > pre-shared-key * > > > > On Tue, Oct 5, 2010 at 7:14 PM, Sidney Spencer <[email protected]> wrote: > > Try doing this. > > change split tunnel ACL to a standard > > access-line split standard permit 20.10.30.0 255.2555.255.0 > > you are calling those attributes in your RA tunnel group?? > > Need all the config for your VPN... > > You split tunnel controls what routes get put into your routing table. > > > > On Tue, Oct 5, 2010 at 8:35 AM, Kingsley Charles < > [email protected]> wrote: > > ip local pool addr7 20.10.30.40-20.10.30.43 > > access-list split extended permit ip 20.10.30.0 255.255.255.0 any > > group-policy king attributes > vpn-tunnel-protocol IPSec > split-tunnel-policy tunnelspecified > split-tunnel-network-list value split > address-pools value addr7 > > The split tunnel doesn't make a difference. Along with the route to split > tunnel address, a route to major network is added. > > Irrespective of whether it is configured or not, the route for major > network is installed. > > Hence even with split tunnel, traffic to the major network is tunneled. > > > > On Tue, Oct 5, 2010 at 6:59 PM, Sidney Spencer <[email protected]> wrote: > > What does your split tunnel ACL look like? can you post your config? > > On Tue, Oct 5, 2010 at 8:25 AM, Kingsley Charles < > [email protected]> wrote: > > Hi all > > I am observing an issue with VPN client. The client's version is 5.0.3. I > have configured an address pool on the ASA of addresses > 20.20.30.40-10.20.30.43. The client gets 20.10.30.40. > If I check the "route print" O/P of the client PC, I see that there is a > route added for leased address major network. > > If you look at the O/P below, there is route for 20.0.0./8 with next hop > of 20.10.30.40 which is leased address. This is wrong as it will make all > traffic with destination of 20.0.0.0/24 move towards the Server. > If I am using just 20.10.30.0/24 behind the server and configure split > tunneling only for 20.10.30.0/24, still I see the route for the major > network > > > Snippet of route print O/P > > 20.0.0.0 255.0.0.0 20.10.30.40 20.10.30.40 20 > 20.10.30.40 255.255.255.255 127.0.0.1 127.0.0.1 20 > > > I haven't seen this issue before. > > Any idea, why it has changed and the reason behind it. > > > I also observed the same issue with WebVPN Anyconnect. > > Why is a route installed for major network on the leased IP address? > > > > With regards > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
