eseabrook2008
Technical User
I'm new to PIX (and job) and need to solve an issue with our PIX. As far as I know, split-tunneling is setup but it is not working. When clients VPN in (using windows client), they can access the internet but not the network. If you check off "use default gateway on remote network" then you can access the network but not the internet. Below is the PIX config. Can anyone give me a hand. I've looked high and low and from what I've read, everything should be setup. I tried using a batch file to enter a static route on the laptop but I need to enter the IF and it changes everytime I connect to the VPN.
PIX Version 7.2(2)
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.0.0
ospf cost 10
!
passwd iGGOjJAX0QuZN9ot encrypted
boot system flash:/pix722.bin
boot system flash:/image.bin
no ftp mode passive
clock timezone CST -6
dns server-group DefaultDNS
domain-name somewhere.COM
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip any 192.168.0.0 255.255.255.192
access-list saskatoon extended permit ip 172.16.0.0 255.255.0.0 192.169.253.0 255.255.255.0
access-list acl_out extended permit tcp any interface outside eq smtp
access-list acl_out extended permit tcp any interface outside range ftp-data ftp inactive
access-list acl_out extended permit tcp any interface outside eq www
access-list acl_out extended permit tcp any interface outside eq https
access-list acl_out extended permit udp any host 204.83.200.72 eq 1701
access-list acl_out extended permit gre any host 204.83.200.72
access-list acl_in extended deny tcp any any eq 136
access-list acl_in extended deny tcp any any eq 137
access-list acl_in extended deny tcp any any eq 138
access-list acl_in extended deny tcp any any eq netbios-ssn
access-list acl_in extended deny udp any any eq 136
access-list acl_in extended deny udp any any eq netbios-ns
access-list acl_in extended deny udp any any eq netbios-dgm
access-list acl_in extended deny udp any any eq 139
access-list acl_in extended permit ip any any
access-list acl_in extended permit icmp any any
access-list test extended permit ip any any
access-list capin extended permit ip host 172.16.100.126 host 172.16.0.1
access-list capin extended permit ip host 172.16.0.1 host 172.16.100.126
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list cap_in extended permit ip host 172.16.100.126 any
access-list split standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 40000
logging monitor informational
logging trap debugging
logging history warnings
logging asdm errors
logging facility 23
logging host inside 172.16.0.98 17/1468
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 10.10.10.1-10.10.10.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.0.0 255.255.0.0
static (inside,outside) tcp interface smtp Email_Firewall smtp netmask 255.255.255.255
static (inside,outside) tcp interface 255.255.255.255
static (inside,outside) tcp interface https 172.16.0.96 https netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 204.83.200.254 1
timeout xlate 1:00:00
timeout conn 0:10:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server ActiveDirectory protocol radius
aaa-server ActiveDirectory host 172.16.0.98
timeout 5
key smiradsecret
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 172.16.0.98 172.16.0.96
dns-server value 172.16.0.98 172.16.0.96
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value somewhere.COM
group-policy DfltGrpPolicy attributes
banner none
wins-server value 172.16.0.98 172.16.0.96
dns-server value 172.16.0.98 172.16.0.96
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain none
split-dns none
intercept-dhcp enable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
group-policy vpn internal
group-policy vpn attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
username somewhere_vpn password ZfsPqnEvQQSkO5RLLlMdcg== nt-encrypted
username cisco123 password U4DJrEXzXuJDX32C encrypted privilege 15
username cisco password pr/0i/BvQ65/uQPOewDuog== nt-encrypted privilege 15
username cisco attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol l2tp-ipsec
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
authentication-server-group ActiveDirectory LOCAL
authorization-server-group LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp strict
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
!
service-policy global_policy global
ntp server 142.3.100.2 source outside prefer
ntp server 142.3.100.15 source outside
prompt hostname context
Cryptochecksum:f8166a1052e288061ee0e688710bda13
: end
asdm image flash:/asdm-522.bin
asdm history enable
PIX Version 7.2(2)
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.0.0
ospf cost 10
!
passwd iGGOjJAX0QuZN9ot encrypted
boot system flash:/pix722.bin
boot system flash:/image.bin
no ftp mode passive
clock timezone CST -6
dns server-group DefaultDNS
domain-name somewhere.COM
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip any 192.168.0.0 255.255.255.192
access-list saskatoon extended permit ip 172.16.0.0 255.255.0.0 192.169.253.0 255.255.255.0
access-list acl_out extended permit tcp any interface outside eq smtp
access-list acl_out extended permit tcp any interface outside range ftp-data ftp inactive
access-list acl_out extended permit tcp any interface outside eq www
access-list acl_out extended permit tcp any interface outside eq https
access-list acl_out extended permit udp any host 204.83.200.72 eq 1701
access-list acl_out extended permit gre any host 204.83.200.72
access-list acl_in extended deny tcp any any eq 136
access-list acl_in extended deny tcp any any eq 137
access-list acl_in extended deny tcp any any eq 138
access-list acl_in extended deny tcp any any eq netbios-ssn
access-list acl_in extended deny udp any any eq 136
access-list acl_in extended deny udp any any eq netbios-ns
access-list acl_in extended deny udp any any eq netbios-dgm
access-list acl_in extended deny udp any any eq 139
access-list acl_in extended permit ip any any
access-list acl_in extended permit icmp any any
access-list test extended permit ip any any
access-list capin extended permit ip host 172.16.100.126 host 172.16.0.1
access-list capin extended permit ip host 172.16.0.1 host 172.16.100.126
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list cap_in extended permit ip host 172.16.100.126 any
access-list split standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 40000
logging monitor informational
logging trap debugging
logging history warnings
logging asdm errors
logging facility 23
logging host inside 172.16.0.98 17/1468
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 10.10.10.1-10.10.10.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.0.0 255.255.0.0
static (inside,outside) tcp interface smtp Email_Firewall smtp netmask 255.255.255.255
static (inside,outside) tcp interface 255.255.255.255
static (inside,outside) tcp interface https 172.16.0.96 https netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 204.83.200.254 1
timeout xlate 1:00:00
timeout conn 0:10:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server ActiveDirectory protocol radius
aaa-server ActiveDirectory host 172.16.0.98
timeout 5
key smiradsecret
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 172.16.0.98 172.16.0.96
dns-server value 172.16.0.98 172.16.0.96
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value somewhere.COM
group-policy DfltGrpPolicy attributes
banner none
wins-server value 172.16.0.98 172.16.0.96
dns-server value 172.16.0.98 172.16.0.96
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain none
split-dns none
intercept-dhcp enable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
group-policy vpn internal
group-policy vpn attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
username somewhere_vpn password ZfsPqnEvQQSkO5RLLlMdcg== nt-encrypted
username cisco123 password U4DJrEXzXuJDX32C encrypted privilege 15
username cisco password pr/0i/BvQ65/uQPOewDuog== nt-encrypted privilege 15
username cisco attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol l2tp-ipsec
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
authentication-server-group ActiveDirectory LOCAL
authorization-server-group LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp strict
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
!
service-policy global_policy global
ntp server 142.3.100.2 source outside prefer
ntp server 142.3.100.15 source outside
prompt hostname context
Cryptochecksum:f8166a1052e288061ee0e688710bda13
: end
asdm image flash:/asdm-522.bin
asdm history enable