Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help - Split-Tunneling Will Not Work

Status
Not open for further replies.
ntents

ntents

MIS
May 22, 2000
1
US
I have a Pix 515 and cannot for the life of me get split-tunneling to work for our employees that use the VPN client. Here are the relevant parts of my Pix config - any help would be greatly appreciated.

PIX Version 6.3(3)

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security60

access-list 90 permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

ip address outside 208.5.xxx.xxx 255.255.255.224
ip address inside 172.16.xxx.xxx 255.255.0.0
ip address dmz 10.1.1.xxx 255.255.255.0

ip local pool remote_user 192.168.1.1-192.168.1.254

nat (inside) 0 access-list 90
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
nat (dmz) 1 10.1.1.0 255.255.255.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto dynamic-map dyn_map 20 set transform-set strong
crypto map my_map 20 ipsec-isakmp dynamic dyn_map
crypto map my_map interface outside

isakmp enable outside
isakmp key ********** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local remote_user outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 14400

vpngroup remote_user address-pool remote_user
vpngroup remote_user dns-server 172.16.xxx.xxx
vpngroup remote_user wins-server 172.16.xxx.xxx
vpngroup remote_user default-domain mycompany.com
vpngroup remote_user split-tunnel 90
vpngroup remote_user idle-time 1800
vpngroup remote_user password **********


 
Sort by date Sort by votes
These clients who dial in ... they're not already on a 192.168.1.0/24 range are they?

As in, is that their local range? Because if, for example, they're on 192.168.1.2, with an adsl modem / little home firewall etc on 192.168.1.1, you *might* have a routing issue, because their local address, and vpn assigned ip are on the same subnet

Is it possible to changing the local pool to something else, say 172.20.0.0/16 ?

eg.

no access-list 90 permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 90 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0

no ip local pool remote_user 192.168.1.1-192.168.1.254
ip local pool remote_user 172.16.0.1-172.16.0.254

then

clear crypto ipsec sa
clear crypto isakmp sa
clear xlate


 
Upvote 0 Downvote
Sorry, where i've put

ip local pool remote_user 172.16.0.1-172.16.0.254

I meant

ip local pool remote_user 172.20.0.1-172.20.0.254



Typo, oops!

 
Upvote 0 Downvote
And thinking about it, if you use the "no access-list 90" and "no ip local pool remote_user" commands in the order i've provided this will wipe out any other lines in the config that refer to them, so be sure to put those lines back in, ie;


nat (inside) 0 access-list 90
isakmp client configuration address-pool local remote_user outside
vpngroup remote_user address-pool remote_user
vpngroup remote_user split-tunnel 90

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
800
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
714
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
152
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
195
PauS0n
PauS0n
disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
173
disturbedone
disturbedone

Part and Inventory Search

Sponsor

Back
Top