Question : VPN split tunneling not working on ASA5510

I am setting up my firewall to accept remote connection VPNs, and I can't get split tunneling to work. I connect, but once connected I cannot browse the internet.

Here is my running-config:

: Saved
:
ASA Version 8.2(2)
!
hostname HDH-Cisco5510IPS
domain-name hdh.local
enable password TdfwmQA279nt/Kbj encrypted
passwd TdfwmQA279nt/Kbj encrypted
names
name 172.22.13.0 Cloverdale
name 172.22.17.0 Windsor
name 207.65.76.20 Passport
name 172.20.0.56 PalmDrive
name 172.22.15.0 Healdsburg-Ave
name 170.229.11.19 Router-to-RRMG
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 75.144.30.210 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif inside
security-level 100
ip address 170.229.11.6 255.255.240.0
!
interface Management0/0
shutdown
nameif management
security-level 0
no ip address
management-only
!
banner login Authorized Personal Only!!!
banner login If you are not authorized to login please disconnect now.
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 170.229.11.2
name-server 170.229.11.10
domain-name hdh.local
same-security-traffic permit intra-interface
object-group service MIRTH_LAB_HL7
service-object tcp eq 9443
service-object udp eq 9443
object-group service SMARTNET
service-object tcp eq pcanywhere-data
service-object udp eq pcanywhere-status
service-object tcp eq ftp
object-group network ARUP
network-object host 12.10.132.226
network-object host 12.10.132.232
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RRMG
network-object host 10.10.10.155
network-object host 10.10.15.102
network-object host 10.10.254.10
network-object host 10.2.26.50
network-object host 192.168.3.226
network-object 10.51.100.0 255.255.255.0
access-list outside_access_in remark InTouch (Robot)
access-list outside_access_in extended permit udp any host 75.114.30.213 range 9000 9101
access-list outside_access_in remark Exchange
access-list outside_access_in extended permit tcp any host 75.144.30.213 eq smtp
access-list outside_access_in remark Medical Records (SmartNet)
access-list outside_access_in extended permit object-group SMARTNET any host 75.144.30.212
access-list outside_access_in remark Mirth Lab HL7
access-list outside_access_in extended permit object-group MIRTH_LAB_HL7 host 68.178.199.210 host 75.114.30.213
access-list outside_access_in extended permit object-group MIRTH_LAB_HL7 host 209.85.69.25 host 75.144.30.213
access-list outside_access_in extended permit object-group MIRTH_LAB_HL7 host 76.230.26.170 host 75.144.30.213
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_1_cryptomap extended permit ip 170.229.0.0 255.255.240.0 Cloverdale 255.255.255.0
access-list inside_nat0_outbound extended permit ip 170.229.0.0 255.255.240.0 Cloverdale 255.255.255.0
access-list inside_nat0_outbound extended permit ip 170.229.0.0 255.255.240.0 Windsor 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 170.229.11.124 object-group ARUP
access-list inside_nat0_outbound extended permit ip host 170.229.11.124 host Passport
access-list inside_nat0_outbound extended permit ip 170.229.0.0 255.255.240.0 host PalmDrive
access-list inside_nat0_outbound extended permit ip 170.229.0.0 255.255.240.0 object-group RRMG
access-list inside_nat0_outbound extended permit ip 170.229.0.0 255.255.240.0 Healdsburg-Ave 255.255.255.0
access-list inside_nat0_outbound extended permit ip 170.229.0.0 255.255.240.0 170.22.22.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 170.229.0.0 255.255.240.0 Windsor 255.255.255.0
access-list outside_3_cryptomap extended permit ip host 170.229.11.124 object-group ARUP
access-list outside_4_cryptomap extended permit ip host 170.229.11.124 host Passport
access-list outside_5_cryptomap extended permit ip 170.229.0.0 255.255.240.0 host PalmDrive
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 170.22.22.0 255.255.255.0 any
access-list IPS extended permit ip any any
access-list IT_splitTunnelAcl standard permit 170.22.22.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging facility 17
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool IT-Pool 172.22.22.1-172.22.22.10 mask 255.255.255.255
ip verify reverse-path interface inside
no failover
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 75.144.30.212 170.229.11.200 netmask 255.255.255.255
static (inside,outside) 75.144.30.211 170.229.11.26 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 75.144.30.214 1
route inside 10.2.26.50 255.255.255.255 Router-to-RRMG 1
route inside 10.10.10.155 255.255.255.255 Router-to-RRMG 1
route inside 10.10.15.102 255.255.255.255 Router-to-RRMG 1
route inside 10.10.254.10 255.255.255.255 Router-to-RRMG 1
route inside 10.51.1.0 255.255.255.0 Router-to-RRMG 1
route inside Healdsburg-Ave 255.255.255.0 170.229.11.60 1
route inside 192.168.3.226 255.255.255.255 Router-to-RRMG 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 170.229.0.0 255.255.240.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 70.89.157.158
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 173.164.155.242
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer 12.10.132.31
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs group1
crypto map outside_map 4 set peer 207.65.77.135
crypto map outside_map 4 set transform-set ESP-3DES-MD5
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs group1
crypto map outside_map 5 set peer 63.193.20.139
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=75.144.30.213,O=North Sonoma County Hospital District,C=US
keypair VPN
crl configure
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 170.229.0.0 255.255.240.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
anyconnect-essentials
group-policy IT internal
group-policy IT attributes
dns-server value 170.229.11.2 170.229.11.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IT_splitTunnelAcl
default-domain value hdh.local
username mmcjilton password Gbr1LgkU8cAKX5Pp encrypted privilege 15
username gcrossan password MgXqpsHooqyWk.LK encrypted privilege 0
username gcrossan attributes
vpn-group-policy IT
username clindell password bLTxyxQHPMK2XH77 encrypted privilege 0
username clindell attributes
vpn-group-policy IT
tunnel-group 70.89.157.158 type ipsec-l2l
tunnel-group 70.89.157.158 ipsec-attributes
pre-shared-key ***
tunnel-group 173.164.155.242 type ipsec-l2l
tunnel-group 173.164.155.242 ipsec-attributes
pre-shared-key *
tunnel-group 12.10.132.31 type ipsec-l2l
tunnel-group 12.10.132.31 ipsec-attributes
pre-shared-key *
tunnel-group 207.65.77.135 type ipsec-l2l
tunnel-group 207.65.77.135 ipsec-attributes
pre-shared-key *
tunnel-group 63.193.20.139 type ipsec-l2l
tunnel-group 63.193.20.139 ipsec-attributes
pre-shared-key *
tunnel-group IT type remote-access
tunnel-group IT general-attributes
address-pool IT-Pool
default-group-policy IT
tunnel-group IT ipsec-attributes
pre-shared-key ***
!
class-map global-class
match any
!
!
policy-map global-policy
class global-class
ips inline fail-open sensor vs0
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global-policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:64648ac01f251dd2b3d5650664dac2a0
: end
asdm image disk0:/asdm-631.bin
asdm location Cloverdale 255.255.255.0 inside
asdm location Windsor 255.255.255.0 inside
asdm location 12.10.132.226 255.255.255.255 inside
asdm location 12.10.132.232 255.255.255.255 inside
asdm location Passport 255.255.255.255 inside
asdm location PalmDrive 255.255.255.255 inside
asdm location Healdsburg-Ave 255.255.255.0 inside
asdm location Router-to-RRMG 255.255.255.255 inside
asdm location 170.22.22.0 255.255.255.0 inside
no asdm history enable

Answer : VPN split tunneling not working on ASA5510

ok if that is the case
your split tunnel has to be like this

no access-list IT_splitTunnelAcl standard permit 170.229.0.0 255.255.240.0 any
access-list IT_splitTunnelAcl standard permit host 0.0.0.0
group-policy IT attributes
no split-tunnel-policy tunnelspecified
no split-tunnel-network-list value IT_splitTunnelAcl
split-tunnel-policy excludespecified
split-tunnel-network-list value IT_splitTunnelAcl

+ you have to select the local lan access in client see imange

let me know the status

Random Solutions

Domain user account continuously getting locked out.

DAG & CAS array configured but it's not failover

blue screen on Server2003 install

A* algorithm 2D snake with obstacles max route

SQL union to fill date data series gaps for SSRS year on year chart

How do I (re-)enable heap memory allocation within a CWinThread-derived class thread function invoked directly from InitInstance?

Microsoft Information Store stalling issues

Exchange 2003 Email Delays

Why is my line-height not the same in IE and firefox??

Removing the "Dot" From an Unordered List