With split tunnleings, the destination entry of the ACL is ignored and hence you can see that split tunneling entry 1, 2 and 3 are same. Just an info that has nothing to do with the Internet disconnectivity.
Now, is destinations other than 172.16.0.0/16 not reachable for you? With regards Kings On Tue, Oct 11, 2011 at 5:18 PM, yusef sheriff <[email protected]> wrote: > please find the output below:- > > Router#sh crypto ipsec client ez > Router#sh crypto ipsec client ezvpn > Easy VPN Remote Phase: 8 > > Tunnel name : ASA > Inside interface list: GigabitEthernet0/0 > Outside interface: Dialer1 > Connect : ACL based with access-list 105 > Current State: IPSEC_ACTIVE > Last Event: MTU_CHANGED > DNS Primary: 172.16.1.95 > Default Domain: habtoorengg.co.ae > Save Password: Allowed > Split Tunnel List: 1 > Address : 172.16.0.0 > Mask : 255.255.0.0 > Protocol : 0x0 > Source Port: 0 > Dest Port : 0 > Split Tunnel List: 2 > Address : 172.16.0.0 > Mask : 255.255.0.0 > Protocol : 0x0 > Source Port: 0 > Dest Port : 0 > Split Tunnel List: 3 > Address : 172.16.0.0 > Mask : 255.255.0.0 > Protocol : 0x0 > Source Port: 0 > Dest Port : 0 > Current EzVPN Peer: 213.42.108.130 > > > On Tue, Oct 11, 2011 at 2:28 PM, Kingsley Charles < > [email protected]> wrote: > >> Can you paste the "sh crypto ipsec client ezvpn" O/P. >> >> With regards >> Kings >> >> >> On Tue, Oct 11, 2011 at 3:15 PM, yusef sheriff <[email protected]>wrote: >> >>> Yes. its configured. ASA configuration: >>> >>> access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip 172.16.0.0 >>> 255.255.0.0 172.23.1.0 255.255.255.0 >>> access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip 172.16.0.0 >>> 255.255.0.0 172.23.2.0 255.255.255.0 >>> access-list omanao-tunnel_splitTunnelAcl_1 extended permit ip 172.16.0.0 >>> 255.255.0.0 10.10.10.0 255.255.255.0 >>> >>> group-policy aooman attributes >>> vpn-tunnel-protocol IPSec >>> password-storage enable >>> split-tunnel-policy tunnelspecified >>> split-tunnel-network-list value omanao-tunnel_splitTunnelAcl_1 >>> default-domain value habtoorengg.co.ae >>> nem enable >>> >>> tunnel-group aooman type remote-access >>> tunnel-group aooman general-attributes >>> default-group-policy aooman >>> tunnel-group aooman ipsec-attributes >>> pre-shared-key * >>> >>> crypto map are starndard configuration >>> >>> On Tue, Oct 11, 2011 at 1:35 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> Have you configured split tunneling on the ASA? >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> On Tue, Oct 11, 2011 at 12:45 PM, yusef sheriff >>>> <[email protected]>wrote: >>>> >>>>> Hi All, >>>>> >>>>> I have configured EZVPN server on ASA and remote clien is IOS router. >>>>> VPN is able connect without any issue. But in remote clients are loosing >>>>> the >>>>> internet connectivity, NAT translation becomes empty once I applied the >>>>> crypto ipsec ezvpn outside in dialer interfaces below is configuration of >>>>> router. >>>>> >>>>> =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.11 11:07:53 >>>>> =~=~=~=~=~=~=~=~=~=~=~= >>>>> sh run >>>>> Building configuration... >>>>> Current configuration : 2999 bytes >>>>> ! >>>>> ! Last configuration change at 07:03:00 UTC Tue Oct 11 2011 >>>>> ! >>>>> version 15.0 >>>>> service config >>>>> service timestamps debug datetime msec >>>>> service timestamps log datetime msec >>>>> service password-encryption >>>>> ! >>>>> hostname Router >>>>> ! >>>>> boot-start-marker >>>>> boot-end-marker >>>>> ! >>>>> ! >>>>> no aaa new-model >>>>> ! >>>>> ! >>>>> ! >>>>> ! >>>>> --More-- ! >>>>> ! >>>>> no ipv6 cef >>>>> ip source-route >>>>> ip cef >>>>> ! >>>>> ! >>>>> ! >>>>> ! >>>>> ! >>>>> ! >>>>> ! >>>>> ! >>>>> redundancy >>>>> ! >>>>> ! >>>>> ! >>>>> ! >>>>> ! >>>>> --More-- ! >>>>> crypto ipsec client ezvpn ASA >>>>> connect acl 105 >>>>> group aooman key hlg2oma@vpn >>>>> mode network-extension >>>>> peer 213.42.108.130 >>>>> username hlgoman password us@hlom >>>>> xauth userid mode local >>>>> ! >>>>> ! >>>>> ! >>>>> ! >>>>> ! >>>>> interface GigabitEthernet0/0 >>>>> ip address 10.10.10.1 255.255.255.0 >>>>> ip access-group 100 out >>>>> ip nat inside >>>>> ip virtual-reassembly >>>>> duplex auto >>>>> speed auto >>>>> crypto ipsec client ezvpn ASA inside >>>>> ! >>>>> ! >>>>> --More-- interface GigabitEthernet0/1 >>>>> no ip address >>>>> duplex auto >>>>> speed auto >>>>> pppoe enable group global >>>>> pppoe-client dial-pool-number 1 >>>>> no cdp enable >>>>> ! >>>>> ! >>>>> interface GigabitEthernet0/2 >>>>> no ip address >>>>> shutdown >>>>> duplex auto >>>>> speed auto >>>>> ! >>>>> ! >>>>> interface Dialer0 >>>>> no ip address >>>>> ! >>>>> ! >>>>> interface Dialer1 >>>>> ip address negotiated >>>>> ip access-group 101 in >>>>> --More-- ip mtu 1492 >>>>> ip nat outside >>>>> ip virtual-reassembly >>>>> encapsulation ppp >>>>> ip tcp adjust-mss 1452 >>>>> dialer pool 1 >>>>> dialer-group 1 >>>>> ppp authentication chap pap callin >>>>> ppp chap hostname hlgoman >>>>> ppp chap password 7 15160D1A503A797C2E >>>>> ppp pap sent-username hlgoman password 7 06020937185E5B410357 >>>>> ppp ipcp dns request accept >>>>> ppp ipcp route default >>>>> ppp ipcp address accept >>>>> ! >>>>> ! >>>>> ip forward-protocol nd >>>>> ! >>>>> no ip http server >>>>> no ip http secure-server >>>>> ! >>>>> ip nat inside source route-map nonat interface Dialer1 overload >>>>> ip route 0.0.0.0 0.0.0.0 Dialer1 >>>>> --More-- ip route 172.23.1.0 255.255.255.0 10.10.10.2 >>>>> ip route 172.23.2.0 255.255.255.0 10.10.10.2 >>>>> ! >>>>> ip access-list extended VPN_ACCESS >>>>> deny ip 172.23.1.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>> deny ip 172.23.2.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>> deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>> permit ip 172.23.1.0 0.0.0.255 any >>>>> permit ip 172.23.2.0 0.0.0.255 any >>>>> permit ip 10.10.10.0 0.0.0.255 any >>>>> ! >>>>> access-list 10 permit 172.23.2.0 0.0.0.255 >>>>> access-list 10 permit 172.23.1.0 0.0.0.255 >>>>> access-list 10 permit 10.10.10.0 0.0.0.255 >>>>> access-list 100 permit ip any any >>>>> access-list 101 permit ip any any >>>>> access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>> access-list 105 permit ip 172.23.1.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>> access-list 105 permit ip 172.23.2.0 0.0.0.255 172.16.0.0 0.0.255.255 >>>>> access-list 106 permit ip 172.23.1.0 0.0.0.255 any >>>>> access-list 106 permit ip 172.23.2.0 0.0.0.255 any >>>>> access-list 106 permit ip 10.10.10.0 0.0.0.255 any >>>>> dialer-list 1 protocol ip permit >>>>> ! >>>>> ! >>>>> ! >>>>> ! >>>>> route-map EVPN permit 1 >>>>> match ip address 105 >>>>> ! >>>>> route-map nonat permit 10 >>>>> match ip address VPN_ACCESS >>>>> ! >>>>> ! >>>>> ! >>>>> control-plane >>>>> ! >>>>> ! >>>>> ! >>>>> line con 0 >>>>> line aux 0 >>>>> line vty 0 4 >>>>> password 7 07062C584F0A485744 >>>>> login >>>>> ! >>>>> scheduler allocate 20000 1000 >>>>> --More-- end >>>>> Router# >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com <http://www.platinumplacement.com/> >>>>> >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
