https://community.cisco.com/t5/network-security/split-tunneling/m-p/414946#M1055594 <HTML><HEAD></HEAD><BODY><P>the overlapping needs to be fixed first. and these two commands should be applied as well.</P><P></P><P>isakmp identity address</P><P>isakmp nat-traversal 20</P></BODY></HTML> Fri, 09 Dec 2005 02:37:31 GMT jackko 2005-12-09T02:37:31Z https://community.cisco.com/t5/network-security/split-tunneling/m-p/414940#M1055582 <P>Currently, i am using PIX 501and VPN 3000. At first, my vpn client cannot access the internet once they logged in via Cisco system vpn client and so i enable split tunneling. Now the clients are able to access the internet but cannot access the internal server. does anyone knows what went wrong. Pls Help...</P><P></P><P>Thank you</P> Fri, 21 Feb 2020 08:34:51 GMT https://community.cisco.com/t5/network-security/split-tunneling/m-p/414940#M1055582 aqswdefrgt 2020-02-21T08:34:51Z https://community.cisco.com/t5/network-security/split-tunneling/m-p/414941#M1055583 <HTML><HEAD></HEAD><BODY><P>please post the entire config with public ip masked.</P></BODY></HTML> Thu, 08 Dec 2005 07:06:52 GMT https://community.cisco.com/t5/network-security/split-tunneling/m-p/414941#M1055583 jackko 2005-12-08T07:06:52Z https://community.cisco.com/t5/network-security/split-tunneling/m-p/414942#M1055586 <HTML><HEAD></HEAD><BODY><P>enable password ********** encrypted</P><P>passwd ********** encrypted</P><P>hostname Firewall</P><P>domain-name aqswdefrgt.com.sg</P><P>access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0</P><P>access-list nat permit tcp any host 65.165.123.142 eq smtp</P><P>access-list nat permit tcp any host 65.165.123.142 eq pop3</P><P>access-list nat permit tcp any host 65.165.123.143 eq smtp</P><P>access-list nat permit tcp any host 65.165.123.143 eq pop3</P><P>access-list nat permit tcp any host 65.165.123.143 eq www</P><P>access-list nat permit tcp any host 65.165.123.152 eq smtp</P><P>access-list nat permit tcp any host 65.165.123.152 eq pop3</P><P>access-list nat permit tcp any host 65.165.123.152 eq www</P><P>access-list nat permit tcp any host 65.165.123.143 eq https</P><P>access-list nat permit icmp any any</P><P>ip address outside 65.165.123.4 255.255.255.240</P><P>ip address inside 192.168.1.2 255.255.255.0</P><P>ip verify reverse-path interface outside</P><P>ip local pool clientpool 192.168.1.40-192.168.1.49</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list 100</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P>static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2</P><P>55.255 0 0</P><P>static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2</P><P>55.255 0 0</P><P>static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2</P><P>55.255 0 0</P><P>static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2</P><P>55.255 0 0</P><P>static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255</P><P>.255 0 0</P><P>static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.</P><P>255.255 0 0</P><P>static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.</P><P>255.255 0 0</P><P>static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25</P><P>5.255 0 0</P><P>static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255</P><P>.255.255 0 0</P><P>access-group nat in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 65.165.123.1 1</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server RADIUS protocol radius</P><P>aaa-server LOCAL protocol local</P><P>aaa-server plexus protocol radius</P><P>aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5</P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>sysopt connection permit-ipsec</P><P>crypto ipsec transform-set myset esp-des esp-md5-hmac</P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac</P><P>crypto dynamic-map cisco 1 set transform-set myset</P><P>crypto map dyn-map 20 ipsec-isakmp dynamic cisco</P><P>crypto map dyn-map client authentication plexus</P><P>crypto map dyn-map interface outside</P><P>isakmp enable outside</P><P>isakmp key ******** address 0.0.0.0 netmask 0.0.0.0</P><P>isakmp policy 20 authentication pre-share</P><P>isakmp policy 20 encryption des</P><P>isakmp policy 20 hash md5</P><P>isakmp policy 20 group 2</P><P>isakmp policy 20 lifetime 86400</P><P>isakmp policy 40 authentication pre-share</P><P>isakmp policy 40 encryption 3des</P><P>isakmp policy 40 hash md5</P><P>isakmp policy 40 group 2</P><P>isakmp policy 40 lifetime 86400</P><P>vpngroup vpn3000 address-pool clientpool</P><P>vpngroup vpn3000 dns-server 192.168.1.55</P><P>vpngroup vpn3000 wins-server 192.168.1.55</P><P>vpngroup vpn3000 default-domain aqswdefrgt.com.sg</P><P>vpngroup vpn3000 idle-time 1800</P><P>vpngroup vpn3000 password ********</P><P>telnet 192.168.1.0 255.255.255.0 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>terminal width 80</P><P></P></BODY></HTML> Thu, 08 Dec 2005 08:46:49 GMT https://community.cisco.com/t5/network-security/split-tunneling/m-p/414942#M1055586 aqswdefrgt 2005-12-08T08:46:49Z https://community.cisco.com/t5/network-security/split-tunneling/m-p/414943#M1055587 <HTML><HEAD></HEAD><BODY><P>Due to the limited characters for each message, i can only post the partial configure. But all these are the most important part.</P></BODY></HTML> Thu, 08 Dec 2005 08:51:29 GMT https://community.cisco.com/t5/network-security/split-tunneling/m-p/414943#M1055587 aqswdefrgt 2005-12-08T08:51:29Z https://community.cisco.com/t5/network-security/split-tunneling/m-p/414944#M1055590 <HTML><HEAD></HEAD><BODY><P>one critical thing is that the vpn client pool should not be overlapped with the pix inside net.</P></BODY></HTML> Thu, 08 Dec 2005 09:39:14 GMT https://community.cisco.com/t5/network-security/split-tunneling/m-p/414944#M1055590 jackko 2005-12-08T09:39:14Z https://community.cisco.com/t5/network-security/split-tunneling/m-p/414945#M1055593 <HTML><HEAD></HEAD><BODY><P>I had already take note of that. Beside that what else went wrong?</P></BODY></HTML> Fri, 09 Dec 2005 01:14:00 GMT https://community.cisco.com/t5/network-security/split-tunneling/m-p/414945#M1055593 aqswdefrgt 2005-12-09T01:14:00Z https://community.cisco.com/t5/network-security/split-tunneling/m-p/414946#M1055594 <HTML><HEAD></HEAD><BODY><P>the overlapping needs to be fixed first. and these two commands should be applied as well.</P><P></P><P>isakmp identity address</P><P>isakmp nat-traversal 20</P></BODY></HTML> Fri, 09 Dec 2005 02:37:31 GMT https://community.cisco.com/t5/network-security/split-tunneling/m-p/414946#M1055594 jackko 2005-12-09T02:37:31Z https://community.cisco.com/t5/network-security/split-tunneling/m-p/414947#M1055595 <HTML><HEAD></HEAD><BODY><P>Thanks for the infor. i will try it out later.</P></BODY></HTML> Fri, 09 Dec 2005 03:03:50 GMT https://community.cisco.com/t5/network-security/split-tunneling/m-p/414947#M1055595 aqswdefrgt 2005-12-09T03:03:50Z