Setting up a Cisco 3.x client to PIX 6.2 VPN - Split-Tunneling

[jcanuk]

Hi,

I'm trying to set up a VPN via the cisco 3.x client to a pix 515e running 6.2.

I'm running into problems with the split-tunneling feature and was wondering if anyone had experience implementing it. Basically, with split tunneling turned off, as expected, I can connect to all hosts inside the vpn and packets for the general internet do not work. However, when I try to define the internal networks and apply that access list using the vpngroup command, I can ping the general internet, but not the internal network.

I will post config, but I'm first looking if anyone has experience with this type of problem...

Regards,
Jcanuk

 

[ecowarrior]

I have a simular problem, when using the vpn 3.x client, from a PC that connects directly to the internet, they can vpn into the LAN, but when using the same method via a 1603 ISDN router that dials the internet, a connection is made but no traffic is sent through the tunnel and i lose all connectivity to the lan and the internet.

 

[yizhar]

HI.

split-tunnel is working fine.
Post your config, and explain the tests that you've made and what were the exact results.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[jcanuk]

Here is my config.... Details of my tests follow it.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
access-list 110 permit ip 10.1.1.0 255.255.255.0 10.1.7.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.7.0 255.255.255.0

access-list nonat permit ip 10.2.2.0 255.255.255.0 10.3.1.0 255.255.255.0

access-list nonat permit ip 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0

access-list nonat permit ip host ***.***.***.**8 10.3.1.0 255.255.255.0

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.3.1.0 255.255.255.0

access-list vpn_in permit ip 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0

access-list outside_cryptomap_dyn_25 permit ip any 10.3.1.0 255.255.255.0

access-list dmz_outbound_nat0_acl permit ip 10.2.2.0 255.255.255.0 10.3.1.0 255.255.255.0

ip address outside ***.***.***.**8 255.255.255.240
ip address inside 10.1.1.10 255.255.255.0
ip address dmz 10.2.2.1 255.255.255.0
ip local pool vpnusers 10.3.1.1-10.3.1.254

arp timeout 14400
global (outside) 1 interface
global (dmz) 1 10.2.2.2-10.2.2.254
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 25 set transform-set ESP-3DES-SHA
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 110
crypto map vpn 10 set peer ***.***.***.***
crypto map vpn 10 set transform-set ESP-3DES-SHA
crypto map vpn 25 ipsec-isakmp dynamic dynmap
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address ***.***.***.*** netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup dial address-pool vpnusers
vpngroup dial idle-time 1800
vpngroup dial password ********
vpngroup dial split-tunnel vpn_in

----------------------------------------

For testing, I have run this exact config file, only without the vpngroup dial split-tunnel command, thus encrypting all traffic, and I am able to both ping and connect to all hosts on the private network (10.1.1.0/24) except the pix inside interface.

Next, when I run the config exactly as shown above (including split-tunnel), my client connects without a problem. I can then ping any host on the internet, but any internal hosts provide me with Reply timed out. No connection.
If I do a vpnclient stat command from my machine,
I get information saying that all of the packets destined for the 10.1.1.0/24 network are getting dropped.

I think that my nonat statements are more than adequate, as well as my access-lists allowing connection from the 10.3.1.0/24 to pretty well anyone internal are fine.

Just as a note, the traffic to 10.1.7.0 is for a pix to pix vpn that is also running off this box.

Any insight is appreciated.

 

[yizhar]

HI.

I don't know what is the cause for the problems, but if you don't solve it, try to backup your config, then remove all VPN related commands and start fresh over using PDM (or pixcript) to generate the VPN config.

What is the Cisco VPN client software version that you use?
Try an older/newer version also.

You can also try the following version:

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.7.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.0.0 10.3.1.0 255.255.255.0

access-list vpn_in permit ip 10.1.1.0 255.255.255.0 10.3.1.0 255.255.255.0
access-list vpn_in permit ip 10.2.2.0 255.255.255.0 10.3.1.0 255.255.255.0

and see what you get.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar