then do this ip local pool addr7 20.10.30.40-20.10.30.43 mask 255.255.255.224. It is going to split tunnel the entire subnet. If you want to be more specific then do
ip local pool addr7 20.10.30.40-20.10.30.43 mask 255.255.255.248 that is as close as you are going to get. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Tuesday, October 05, 2010 10:30 AM To: Tyson Scott Cc: Sidney Spencer; [email protected] Subject: Re: [OSL | CCIE_Security] VPN client issue If I add split tunnel for 20.10.30.32 255.255.255.224 and local pool as following: access-list spilt permit ip 20.10.30.32 255.255.255.224 any ip local pool addr7 20.10.30.40-20.10.30.43 netmask 255.255.255.0 Now the VPN client PC will have routes as following which breaks the purpose of split tunneling. 20.10.30.0 255.255.255.0 20.10.30.40 20.10.30.40 20.10.30.0 255.255.255.224 20.10.30.40 20.10.30.40 With regards Kings On Tue, Oct 5, 2010 at 7:51 PM, Kingsley Charles <[email protected]> wrote: Tyson, if I mention the mask 255.255.255.0 then the following route is added: 20.10.30.0 255.255.255.0 20.10.30.40 20.10.30.40 Now it adds a route with subnet mask of 255.255.255.0. Still I don't feel that's right? Only routes corresponding to the split tunnel should be added, am I right? With regards Kings On Tue, Oct 5, 2010 at 7:40 PM, Tyson Scott <[email protected]> wrote: It is adding the classful mask as the route. With IOS there is the netmask option to stop this behavior in the client configuration group Try adding it to your address pool ip local pool addr7 20.10.30.40-20.10.30.43 mask 255.255.255.0 Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, October 05, 2010 10:03 AM To: Sidney Spencer Cc: [email protected] Subject: Re: [OSL | CCIE_Security] VPN client issue What difference does it makes when you use standard or extended? I tried putting standard acl and still see the same issue. I am aware of the basics that the split tunneling controls the route installation. Lets come out of the basics and look, if there is any other reason for this behavior. Here you go, the config.... ip local pool addr7 20.10.30.40-20.10.30.43 access-list split extended permit ip 20.10.30.0 255.255.255.0 any group-policy king internal group-policy king attributes vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value split address-pools value addr7 username cisco password 3USUcOPFUiMCO4Jk encrypted tunnel-group king type remote-access tunnel-group king general-attributes address-pool addr2 default-group-policy king tunnel-group king ipsec-attributes pre-shared-key * On Tue, Oct 5, 2010 at 7:14 PM, Sidney Spencer <[email protected]> wrote: Try doing this. change split tunnel ACL to a standard access-line split standard permit 20.10.30.0 255.2555.255.0 you are calling those attributes in your RA tunnel group?? Need all the config for your VPN... You split tunnel controls what routes get put into your routing table. On Tue, Oct 5, 2010 at 8:35 AM, Kingsley Charles <[email protected]> wrote: ip local pool addr7 20.10.30.40-20.10.30.43 access-list split extended permit ip 20.10.30.0 255.255.255.0 any group-policy king attributes vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value split address-pools value addr7 The split tunnel doesn't make a difference. Along with the route to split tunnel address, a route to major network is added. Irrespective of whether it is configured or not, the route for major network is installed. Hence even with split tunnel, traffic to the major network is tunneled. On Tue, Oct 5, 2010 at 6:59 PM, Sidney Spencer <[email protected]> wrote: What does your split tunnel ACL look like? can you post your config? On Tue, Oct 5, 2010 at 8:25 AM, Kingsley Charles <[email protected]> wrote: Hi all I am observing an issue with VPN client. The client's version is 5.0.3. I have configured an address pool on the ASA of addresses 20.20.30.40-10.20.30.43. The client gets 20.10.30.40. If I check the "route print" O/P of the client PC, I see that there is a route added for leased address major network. If you look at the O/P below, there is route for 20.0.0./8 with next hop of 20.10.30.40 which is leased address. This is wrong as it will make all traffic with destination of 20.0.0.0/24 move towards the Server. If I am using just 20.10.30.0/24 behind the server and configure split tunneling only for 20.10.30.0/24, still I see the route for the major network Snippet of route print O/P 20.0.0.0 255.0.0.0 20.10.30.40 20.10.30.40 20 20.10.30.40 255.255.255.255 127.0.0.1 127.0.0.1 20 I haven't seen this issue before. Any idea, why it has changed and the reason behind it. I also observed the same issue with WebVPN Anyconnect. Why is a route installed for major network on the leased IP address? With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
