PIX501 - Client VPN routing issue

[Myster]

Hi everybody !

I've browsed the forum a lot without finding anyone having the same issue as i do... so here is my post ...

The configuration is as follow:
- 2 sites connected by VPN (working correctly)
- on each site, PIX-501 - v6.3(3)

I'm trying, beside the site-to-site VPN, to setup remote access with Cisco VPN Client 4.6.
I configured one of the PIX with vpngroup to make my tests, I will later change the auth method to something else (either local or radius).

Here is the point :
At home, with my laptop, I "dial" the VPN connection through Cisco VPN Client. Everything wents OK, and the VPN seems to be established. The laptop is wired on local LAN and goes through an IPTABLES firewall. It uses UDP and UDP-500 port is
forwared correctly to my laptop.

Once the VPN is established, I try to ping a Linux box which is connected on the DMZ, so directly after the PIX, without success.

The network debug I made gave :
- the ICMP requests reach the Linux box and it answers to them (used tcpdump and saw incoming and outgoing packets)
- the laptop never gets the replies.
- watching the logs on my Iptables, I see nothing dropped
- I've tested other kind of access (POP, SMTP, HTTP,...) and had each time the same symptoms.

My first idea is that there's a routing or ACL issue on my PIX that blocks the returning packets.

Network "diagram" :


Remote Office with 10.3.3.0/24 & 192.168.2.0/24
PIX-501
/
/
/
/
-----------
| Internet |------------ Home IpTables FW ------ Laptop
-----------
\
\
PIX-501
|
|
10.12.1.0/24 DMZ
|
|
Internal IPTABLES FW
|
|
192.168.70.0/24 Internal LAN



Here my PIX configuration :

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
[...]
names
name 195.XXX.XXX.11 ldeml01-I
name 10.12.1.4 ldeml01-D
name 195.XXX.XXX.30 Kiwi-I
name 10.12.1.30 Kiwi-D
name 10.12.1.16 ST16-D
name 10.12.1.3 lddmz01-D
name 10.12.2.0 ld_ras_lan
name 82.XXX.XXX.225 else_home
name 82.XXX.XXX.176 somewhere_home
name 195.XXX.XXX.10 LDAPP01-I
access-list 101 permit ip 192.168.70.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 10.12.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.70.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list 101 permit ip 10.12.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list 101 permit ip ld_ras_lan 255.255.255.0 192.168.70.0 255.255.255.0
access-list 101 permit ip ld_ras_lan 255.255.255.0 10.12.1.0 255.255.255.0
access-list 101 permit ip 192.168.70.0 255.255.255.0 ld_ras_lan 255.255.255.0
access-list 101 permit ip 10.12.1.0 255.255.255.0 ld_ras_lan 255.255.255.0
access-list 200 permit tcp any host ldeml01-I eq https
access-list 200 permit tcp any host ldeml01-I eq imap4
access-list 200 permit tcp any host ldeml01-I eq smtp
access-list 200 permit tcp any host 195.XXX.XXX.1 eq domain
access-list 200 permit udp any host 195.XXX.XXX.1 eq domain
access-list 200 permit tcp any host 195.XXX.XXX.111 eq www
access-list 200 permit tcp any host 195.XXX.XXX.111 eq https
access-list 200 permit tcp any host 195.XXX.XXX.108 eq www
access-list 200 permit tcp any host Kiwi-I eq www
access-list 200 permit tcp any host Kiwi-I eq https
access-list 200 permit tcp any host 195.XXX.XXX.31 eq www
access-list 200 permit tcp any host 195.XXX.XXX.31 eq https
access-list 200 permit tcp host 62.XXX.XXX.29 host ldeml01-I eq ssh
access-list 200 permit tcp host 81.XXX.XXX.90 host ldeml01-I eq ssh
access-list 200 permit tcp any host 195.XXX.XXX.1 eq https
access-list 200 permit tcp any host 195.XXX.XXX.2 eq www
access-list 200 permit tcp any host ldeml01-I eq www
access-list 200 permit tcp any host 195.XXX.XXX.4 eq https
access-list 200 permit tcp host somewhere_home host ldeml01-I eq ssh
access-list 200 permit tcp host 82.XXX.XXX.114 host ldeml01-I eq ssh
access-list 200 permit tcp host else_home host ldeml01-I eq ssh
access-list 200 permit tcp any host 195.XXX.XXX.1 eq 2401
access-list 200 permit tcp any host 195.XXX.XXX.1 eq ssh
access-list 200 permit icmp any any echo-reply
access-list 200 permit tcp any host LDAPP01-I eq www
no pager
icmp permit 10.12.1.0 255.255.255.0 echo outside
mtu outside 1500
mtu inside 1500
ip address outside 195.XXX.XXX.1 255.255.255.128
ip address inside 10.12.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ld_ras_pool 10.12.2.32-10.12.2.63
pdm history enable
arp timeout 14400
global (outside) 1 195.XXX.XXX.3 netmask 255.255.255.255
nat (inside) 0 access-list 101
nat (inside) 1 10.12.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.70.0 255.255.255.0 0 0
static (inside,outside) tcp interface domain lddmz01-D domain netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain lddmz01-D domain netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https lddmz01-D https netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.XXX.XXX.1 2401 lddmz01-D 2401 netmask 255.255.255.255 0 0
static (inside,outside) ldeml01-I ldeml01-D netmask 255.255.255.255 0 0
static (inside,outside) 195.XXX.XXX.111 ST16-D netmask 255.255.255.255 0 0
static (inside,outside) 195.XXX.XXX.108 10.12.1.108 netmask 255.255.255.255 0 0
static (inside,outside) 195.XXX.XXX.31 10.12.1.31 netmask 255.255.255.255 0 0
static (inside,outside) Kiwi-I Kiwi-D netmask 255.255.255.255 0 0
static (inside,outside) 195.XXX.XXX.4 10.12.1.14 netmask 255.255.255.255 0 0
static (inside,outside) 195.XXX.XXX.2 10.12.1.6 netmask 255.255.255.255 0 0
static (inside,outside) LDAPP01-I 10.12.1.5 netmask 255.255.255.255 0 0
access-group 200 in interface outside
route outside 0.0.0.0 0.0.0.0 195.XXX.XXX.126 1
route inside 192.168.70.0 255.255.255.0 10.12.1.2 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 84.XXX.XXX.38 source outside
snmp-server host inside 192.XXX.XXX.18 poll
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXXXX
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set toyota esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set toyota
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 101
crypto map bmw 1 set peer 66.XXX.XXX.4
crypto map bmw 1 set transform-set toyota
crypto map bmw 20 ipsec-isakmp dynamic dynmap
crypto map bmw interface outside
isakmp enable outside
isakmp key ******** address 66.XXX.XXX.4 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 1000
vpngroup groupras address-pool ld_ras_pool
vpngroup groupras dns-server lddmz01-D
vpngroup groupras default-domain XXXXXXXXXXX.local
vpngroup groupras idle-time 1800
vpngroup groupras password ********
telnet timeout 5
ssh 66.XXX.XXX.10 255.255.255.255 outside
ssh else_home 255.255.255.255 outside
ssh 10.12.1.0 255.255.255.0 inside
ssh timeout 10
console timeout 10
terminal width 120

I hope I gave enough info to get some help !

 

[LloydSev]

He specifies 1 specific peer in his crypto policy. He would need another crypto policy for his vpn pool.

Computer/Network Technician
CCNA

 

[Triplejolt]

He only needs to specify a peer for his site-to-site VPN. Not for his VPN clients. He can still use the same policy however.

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T

 

[Myster]

Well,

I can confirm that, as PIX-501 only has 2 "interfaces" (1 out, 4 in), the only solution was to make the DMZ a transit zone to reach our internal zone.

I must also say that I've tried defining 2 policies, but it resulted in site-to-site VPN failure. Moreover, policy 1 matches both needs, and upgrade from DES to 3DES is also planned.

I do not have the

crypto map bmw client authentication [authentication-method]

statement. But I have something ressembling in the isakmp statements.
If I add the statement you wrote in my crypto map bmw definitions, won't it affect the S2S VPN also ?

Here is my current config (excerpt) :

sysopt connection permit-ipsec
crypto ipsec transform-set toyota esp-des esp-md5-hmac 
crypto dynamic-map dynmap 10 set transform-set toyota
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 101
crypto map bmw 1 set peer 66.XXX.XXX.4
crypto map bmw 1 set transform-set toyota
crypto map bmw 20 ipsec-isakmp dynamic dynmap
crypto map bmw interface outside
isakmp enable outside
isakmp key ******** address 66.XXX.XXX.4 netmask 255.255.255.255 
isakmp identity address
isakmp client configuration address-pool local ld_ras_pool outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 1000
vpngroup groupras address-pool ld_ras_pool
vpngroup groupras dns-server lddmz01-D
vpngroup groupras default-domain systran.local
vpngroup groupras idle-time 1800
vpngroup groupras password ********

 

[Myster]

D'oh !!

I just thought about something :

I'm using this :

crypto ipsec transform-set toyota esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set toyota
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 101
crypto map bmw 1 set peer 66.XXX.XXX.4
crypto map bmw 1 set transform-set toyota
crypto map bmw 20 ipsec-isakmp dynamic dynmap
crypto map bmw interface outside

As you can see, I stated a match address 101 for my crypto map bmw 1...
But this crypto map is used for my site to site VPN, not my dynamic clients...
Would something like

crypto map bmw 20 match address 101

be working and sensefull ?

 

[LloydSev]

you should at least try it.

Computer/Network Technician
CCNA

 

[Myster]

WOUHOUHOUHOUHOU !!!!

Well how to tell that .
I took all the informations you all gave me, plus a sample config from Cisco web site reproducing the same architecture, are here we are !!! It's finally working.

To give simple explanation, I took the ACLs and I separeted the one concerning the NoNAT and the one used by the crypto map match address statement.

I finally achived to make it work, and I even set up split-tunneling to allow internet access for VPN clients.

How could I thank you all enough for all the time you spent with me ????!!!! Sending all of you a beer pack ? :-D

Everything would be great if I wouldn't face a new issue : packets coming from the VPN pool cannot go to the Internal LAN (the one protected by an IPtables FW).

I wrote adequate rules into my IPtables, but I don't even see
my pings or SSH attempts on the iptables interfaces.

I checked the routing table on the client, and I can see the route for the INT network (192.168.70.0/24) through the VPN, and I also see packets on the PIX (using debug icmp trace), but they are not forwarded to the iptables FW/router....

Any idea ?

 

[ajinc]

Hi Myster,
I have a similar problem, could I trouble you to take a look at my post "cisco client connects, but no packets return", or could you post you config, so i can follow it as an example?
Any help would be greatly appreciated!
TIA

 

[Triplejolt]

A simple "Thank you" will suffice, Myster. And the satisfaction of hearing you making progress, or solving the problem
This is just me thinking out "loud", but are you concidering this:
You are obviously NATing your inside LAN before it reaches the DMZ, and then NATing it again going through the PIX.

Inside LAN --> DMZ --> Internet
192.168.70.0 --> 10.12.1.0 --> Outside interface

Are you employing the same NATing scheme for your VPN pool, except that you don't NAT between the DMZ and the VPN clients? And does your inside LAN know about the 10.12.2-network?

Inside LAN --> DMZ --> VPN clients
192.168.70.0 --> 10.12.1.0 --> 10.12.2.0

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T

 

[LloydSev]

thank you? I like his idea of beer better haha.

Anyways, regarding the thing with the LAN, is there a default route in your PIX to handle the routing of packets to goto the Internal LAN? Without that, you won't be able to speak with the internal LAN.

Computer/Network Technician
CCNA

 

[Myster]

Triplejolt, in fact, the internal FW, the IPtables one, doesn't make NAT, it's just routing packets accordingly to the firewall rules.
I finally achieved reaching the internal network, I just missed needed statements in the ACL


Here is my *final* config....
The main reason it was'nt working was that I used the same ACL (101) for "NoNAT" and for encryption, and this confused the PIX. So I splat the ACLs correctly, and there it was...
I 've "important" statements in bold, in order for you, ajinc, to compare this one with yours.
At this time, and Triplejolt/LloydSev will certainly confirm it, my split-tunneling is not working, and my definitions senseless. I'm currently trying to find some docs/explanations regarding this functionnality.

You can also find an intersting sample config on Cisco website :

http://www.cisco.com/en/US/products...s_configuration_example09186a00800948b8.shtml

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password U7gsv0kypzSnaNJs encrypted
passwd U7gsv0kypzSnaNJs encrypted
hostname ldfwi01.systran
domain-name systran
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 195.XXX.XXX.11 ldeml01-I
name 10.12.1.4 ldeml01-D
name 195.XXX.XXX.30 Kiwi-I
name 10.12.1.30 Kiwi-D
name 10.12.1.16 ST16-D
name 10.12.1.3 lddmz01-D
name 10.12.2.0 ld_ras_lan
name 82.XXX.XXX.225 derefinko_home
name 82.XXX.XXX.176 laurent_home
name 195.XXX.XXX.10 LDAPP01-I

##### This is now for encryption definition

[b]access-list 101 permit ip 192.168.70.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list 101 permit ip 10.12.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list 101 permit ip 192.168.70.0 255.255.255.0 10.3.3.0 255.255.255.0 
access-list 101 permit ip 10.12.1.0 255.255.255.0 10.3.3.0 255.255.255.0 
access-list 101 permit ip 10.3.3.0 255.255.255.0 10.12.1.0 255.255.255.0 
access-list 101 permit ip 192.168.2.0 255.255.255.0 10.12.1.0 255.255.255.0 
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.70.0 255.255.255.0
access-list 101 permit ip 10.3.3.0 255.255.255.0 192.168.70.0 255.255.255.0 [/b]

access-list 200 permit tcp any host ldeml01-I eq https 
access-list 200 permit tcp any host ldeml01-I eq imap4 
access-list 200 permit tcp any host ldeml01-I eq smtp 
access-list 200 permit tcp any host 195.XXX.XXX.1 eq domain 
access-list 200 permit udp any host 195.XXX.XXX.1 eq domain 
access-list 200 permit tcp any host 195.XXX.XXX.111 eq www 
access-list 200 permit tcp any host 195.XXX.XXX.111 eq https 
access-list 200 permit tcp any host 195.XXX.XXX.108 eq www 
access-list 200 permit tcp any host Kiwi-I eq www 
access-list 200 permit tcp any host Kiwi-I eq https 
access-list 200 permit tcp any host 195.XXX.XXX.31 eq www 
access-list 200 permit tcp any host 195.XXX.XXX.31 eq https 
access-list 200 permit tcp host 62.193.208.29 host ldeml01-I eq ssh 
access-list 200 permit tcp host 81.56.134.90 host ldeml01-I eq ssh 
access-list 200 permit tcp any host 195.XXX.XXX.1 eq https 
access-list 200 permit tcp any host 195.XXX.XXX.2 eq www 
access-list 200 permit tcp any host ldeml01-I eq www 
access-list 200 permit tcp any host 195.XXX.XXX.4 eq https 
access-list 200 permit tcp host laurent_home host ldeml01-I eq ssh 
access-list 200 permit tcp host 82.226.34.114 host ldeml01-I eq ssh 
access-list 200 permit tcp host derefinko_home host ldeml01-I eq ssh 
access-list 200 permit tcp any host 195.XXX.XXX.1 eq 2401 
access-list 200 permit tcp any host 195.XXX.XXX.1 eq ssh 
access-list 200 permit icmp any any echo-reply 
access-list 200 permit tcp any host LDAPP01-I eq www 
access-list 200 permit ip ld_ras_lan 255.255.255.0 any 

##### This is now to specify networks which shouldn't be NATed

[b]access-list NoNAT permit ip 192.168.70.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list NoNAT permit ip 192.168.70.0 255.255.255.0 10.3.3.0 255.255.255.0 
access-list NoNAT permit ip 10.12.1.0 255.255.255.0 10.3.3.0 255.255.255.0 
access-list NoNAT permit ip 10.12.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list NoNAT permit ip 10.12.1.0 255.255.255.0 ld_ras_lan 255.255.255.0 
access-list NoNAT permit ip 192.168.70.0 255.255.255.0 ld_ras_lan 255.255.255.0 
access-list NoNAT permit ip 10.3.3.0 255.255.255.0 ld_ras_lan 255.255.255.0 [/b]

###### This should be used, once correctly defined, to enable split-tunneling
[b]access-list SplitTunnel permit ip 192.168.70.0 255.255.255.0 ld_ras_lan 255.255.255.0 
access-list SplitTunnel permit ip ld_ras_lan 255.255.255.0 192.168.70.0 255.255.255.0 [/b]

no pager
logging console debugging
icmp permit 10.12.1.0 255.255.255.0 echo outside
mtu outside 1500
mtu inside 1500
ip address outside 195.XXX.XXX.1 255.255.255.128
ip address inside 10.12.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ld_ras_pool 10.12.2.1-10.12.2.254
pdm history enable
arp timeout 14400
global (outside) 1 195.XXX.XXX.3 netmask 255.255.255.255
[b]nat (inside) 0 access-list NoNAT [/b]
nat (inside) 1 10.12.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.70.0 255.255.255.0 0 0
static (inside,outside) tcp interface domain lddmz01-D domain netmask 255.255.255.255 0 0 
static (inside,outside) udp interface domain lddmz01-D domain netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface https lddmz01-D https netmask 255.255.255.255 0 0 
static (inside,outside) tcp 195.XXX.XXX.1 2401 lddmz01-D 2401 netmask 255.255.255.255 0 0 
static (inside,outside) tcp 195.XXX.XXX.1 [URL unfurl="true"]www lddmz01-D[/URL] [URL unfurl="true"]www netmask[/URL] 255.255.255.255 0 0 
static (inside,outside) ldeml01-I ldeml01-D netmask 255.255.255.255 0 0 
static (inside,outside) 195.XXX.XXX.111 ST16-D netmask 255.255.255.255 0 0 
static (inside,outside) 195.XXX.XXX.108 10.12.1.108 netmask 255.255.255.255 0 0 
static (inside,outside) 195.XXX.XXX.31 10.12.1.31 netmask 255.255.255.255 0 0 
static (inside,outside) Kiwi-I Kiwi-D netmask 255.255.255.255 0 0 
static (inside,outside) 195.XXX.XXX.4 10.12.1.14 netmask 255.255.255.255 0 0 
static (inside,outside) 195.XXX.XXX.2 10.12.1.6 netmask 255.255.255.255 0 0 
static (inside,outside) LDAPP01-I 10.12.1.5 netmask 255.255.255.255 0 0 
access-group 200 in interface outside
route outside 0.0.0.0 0.0.0.0 195.XXX.XXX.126 1
route inside 192.168.70.0 255.255.255.0 10.12.1.2 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
ntp server 84.207.3.38 source outside
snmp-server host inside 192.168.70.18 poll
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXX
no snmp-server enable traps
floodguard enable
[b]sysopt connection permit-ipsec
crypto ipsec transform-set toyota esp-des esp-md5-hmac 
[COLOR=red]crypto dynamic-map dynmap 10 set transform-set toyota[/color red]
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 101
crypto map bmw 1 set peer 66.XXX.XXX.4
crypto map bmw 1 set transform-set toyota
[COLOR=red]crypto map bmw 20 ipsec-isakmp dynamic dynmap[/color red]
crypto map bmw interface outside
isakmp enable outside
isakmp key ******** address 66.XXX.XXX.4 netmask 255.255.255.255 
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 1000
vpngroup groupras address-pool ld_ras_pool
vpngroup groupras dns-server lddmz01-D
vpngroup groupras default-domain company.local
vpngroup groupras split-tunnel SplitTunnel
vpngroup groupras idle-time 1800
vpngroup groupras password ********[/b]
telnet timeout 5
ssh 66.XXX.XXX.10 255.255.255.255 outside
ssh someone_home 255.255.255.255 outside
ssh 10.12.1.0 255.255.255.0 inside
ssh timeout 10
console timeout 10
terminal width 120

 

[LloydSev]

Split Tunneling is used for accessing the internet while being VPN'd into the network..so your SplitTunnel ACL denies everything since all you have allowed is the internal network. That's why it isn't working.

Computer/Network Technician
CCNA

 

[ajinc]

Thank you, Thank You, Thank You!
I am going to get to work now, I'll let you know how it works out. Again Thanks, and I'll Bring the Brew!!!

 

[Triplejolt]

As stated by Cisco:

Use the vpngroup split-tunnel command to enable split tunneling on the FWSM. Split tunneling allows a remote VPN client simultaneous encrypted access to the corporate network and clear access to the Internet. When you use the vpngroup split-tunnel command, specify the access list name to which you are associating split tunneling of traffic. With split tunneling enabled, the FWSM downloads its local network IP address and netmask specified within the associated access list to the VPN client or as part of the policy push to the client. The VPN client sends the traffic that is destined to the specified local FWSM network through an IPSec tunnel and all other traffic in the clear. The FWSM receives the IPSec-protected packet on its outside interface, decrypts it, and then sends it to its specified local network.

What I did to get split-tunneling to work was using my NoNat ACL. The thing here is that enabling split-tunneling disables the VPN configured DNS settings. Your VPN clients will use DNS settings provided by their respective ISPs.

Replace your:
[b]vpngroup groupras split-tunnel SplitTunnel[/b]
with:
[b]vpngroup groupras split-tunnel NoNAT[/b]

Should solve your split-tunneling issue.

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T

 

[Myster]

Ok, thanks, I'll try this tonight (I can only work in real-time on RAS VPN from my home, as I haven't direct Internet Access at work).

Will this split-tunnel configuration also allow the Client VPN to reach the remote Office through the site to site VPN ?

Myster

 

[Myster]

Well, I continue my thought :

Is this correct :
To allow VPN clients to reach the remote site, I should had statements in the NoNAT ACL like :

access-list NoNAT permit ip 10.12.2.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list NoNAT permit ip 10.12.2.0 255.255.255.0 192.168.2.0 255.255.255.0

(10.12.2.0 is the Client VPN pool and the two other networks are those from remote office)

??

Myster

 

[Triplejolt]

Those two lines only tells your PIX to not use NAT between the specified networks. I'm not sure if your VPN clients would reach them, but it shouldn't pose a problem. Just remember to provide routes for networks not directly connected to either of your interfaces.

You could copy the NoNAT ACL and work your way. Just remember to use either the IP address, or make a mapping in your hosts file.

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T

 

[jasonswan]

Try using a seperate ACL for each crypto map match adress statemnet ... with only the rules that apply to each VPN i.e

crypto map mymap 10 match address roadwarior-VPN-acl
crypto map mymap 20 match address branchoffice-VPN-acl

http://jason.swan.net