Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting up a Cisco 3.x client to PIX 6.2 VPN - Split-Tunneling

Status
Not open for further replies.
jcanuk

jcanuk

MIS
Joined
Nov 24, 2002
Messages
12
Location
US
Hi,

I'm trying to set up a VPN via the cisco 3.x client to a pix 515e running 6.2.

I'm running into problems with the split-tunneling feature and was wondering if anyone had experience implementing it. Basically, with split tunneling turned off, as expected, I can connect to all hosts inside the vpn and packets for the general internet do not work. However, when I try to define the internal networks and apply that access list using the vpngroup command, I can ping the general internet, but not the internal network.

I will post config, but I'm first looking if anyone has experience with this type of problem...

Regards,
Jcanuk
 
Sort by date Sort by votes
I have a simular problem, when using the vpn 3.x client, from a PC that connects directly to the internet, they can vpn into the LAN, but when using the same method via a 1603 ISDN router that dials the internet, a connection is made but no traffic is sent through the tunnel and i lose all connectivity to the lan and the internet.
 
Upvote 0 Downvote
Here is my config.... Details of my tests follow it.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
access-list 110 permit ip 10.1.1.0 255.255.255.0 10.1.7.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.7.0 255.255.255.0

access-list nonat permit ip 10.2.2.0 255.255.255.0 10.3.1.0 255.255.255.0

access-list nonat permit ip 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0

access-list nonat permit ip host ***.***.***.**8 10.3.1.0 255.255.255.0

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.3.1.0 255.255.255.0

access-list vpn_in permit ip 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0

access-list outside_cryptomap_dyn_25 permit ip any 10.3.1.0 255.255.255.0

access-list dmz_outbound_nat0_acl permit ip 10.2.2.0 255.255.255.0 10.3.1.0 255.255.255.0

ip address outside ***.***.***.**8 255.255.255.240
ip address inside 10.1.1.10 255.255.255.0
ip address dmz 10.2.2.1 255.255.255.0
ip local pool vpnusers 10.3.1.1-10.3.1.254

arp timeout 14400
global (outside) 1 interface
global (dmz) 1 10.2.2.2-10.2.2.254
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 25 set transform-set ESP-3DES-SHA
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 110
crypto map vpn 10 set peer ***.***.***.***
crypto map vpn 10 set transform-set ESP-3DES-SHA
crypto map vpn 25 ipsec-isakmp dynamic dynmap
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address ***.***.***.*** netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup dial address-pool vpnusers
vpngroup dial idle-time 1800
vpngroup dial password ********
vpngroup dial split-tunnel vpn_in

----------------------------------------

For testing, I have run this exact config file, only without the vpngroup dial split-tunnel command, thus encrypting all traffic, and I am able to both ping and connect to all hosts on the private network (10.1.1.0/24) except the pix inside interface.

Next, when I run the config exactly as shown above (including split-tunnel), my client connects without a problem. I can then ping any host on the internet, but any internal hosts provide me with Reply timed out. No connection.
If I do a vpnclient stat command from my machine,
I get information saying that all of the packets destined for the 10.1.1.0/24 network are getting dropped.

I think that my nonat statements are more than adequate, as well as my access-lists allowing connection from the 10.3.1.0/24 to pretty well anyone internal are fine.

Just as a note, the traffic to 10.1.7.0 is for a pix to pix vpn that is also running off this box.

Any insight is appreciated.
 
Upvote 0 Downvote
HI.

I don't know what is the cause for the problems, but if you don't solve it, try to backup your config, then remove all VPN related commands and start fresh over using PDM (or pixcript) to generate the VPN config.

What is the Cisco VPN client software version that you use?
Try an older/newer version also.

You can also try the following version:

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.7.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.0.0 10.3.1.0 255.255.255.0

access-list vpn_in permit ip 10.1.1.0 255.255.255.0 10.3.1.0 255.255.255.0
access-list vpn_in permit ip 10.2.2.0 255.255.255.0 10.3.1.0 255.255.255.0

and see what you get.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Miluis
  • Locked
  • Question Question
How necessary is an antivirus?
Replies
3
Views
592
Rick998
Rick998
intel233
  • Locked
  • Question Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233
WhosYourDiffie
  • Locked
  • Question Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
412
WhosYourDiffie
WhosYourDiffie
Sparrow4
  • Locked
  • Question Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
1K
Johnkite
Johnkite

Part and Inventory Search

Sponsor

Back
Top