EasyVPN pix-to-pix with split-tunnel

YOUNG-SOO BASLER · ‎07-10-2003

I have 2 Pix Firewalls with 6.3(1). On the Office side is a vpngroup defined and the split-tunnel option is configured. The remote Pix 501 can now connect to the Office PIX and the right information is given to the client.

But if the split tunnel is configured the client PIX make no NAT or PAT for my

Client computer. If I disable this option all works fine exept internet traffic is also encrypted and no sufing is possible. Any Ideas ???

show vpnclient (on client side)

LOCAL CONFIGURATION

vpnclient server XXXX

vpnclient mode client-mode

vpnclient vpngroup ezclient password ********

vpnclient username ezvpn password ********

vpnclient enable

DOWNLOADED DYNAMIC POLICY

Current Server : X.X.X.X

NAT addr : 192.168.30.1

Default Domain : X.ch

PFS Enabled : No

Secure Unit Authentication Enabled : No

User Authentication Enabled : No

Split Networks : 172.25.32.0/255.255.255.0

Backup Servers : None

gfullage · ‎07-10-2003

If you're doing split tunnelling with EzVPN client on the PIX, you still need to have a standard nat/global pair defined for the non-encrypted outgoing traffic. Something like:

> global (outside) 1 interface

> nat (inside) 1 0.0.0.0 0.0.0.0

The PIX will use this translation for unencrypted traffic, but will encrypt the other traffic as defined by the SA's and the split tunnel list and send it over the tunnel to the EzVPN server.

YOUNG-SOO BASLER · ‎07-11-2003

The nat statement is in the config:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXX

passwd XXXXXXXXXX

hostname CalltradeHome3

domain-name X.ch

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.255 inside

pdm location 192.168.1.2 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 60

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username cisco password XXXXXXXXX

vpnclient server X.X.X.X

vpnclient mode client-mode

vpnclient vpngroup ezclient password ********

vpnclient username ezvpn password ********

vpnclient enable

terminal width 80

gfullage · ‎07-11-2003

The nat statement is incorrect. You have:

> nat (inside) 0 0.0.0.0 0.0.0.0

which specifically tells the PIX not to nat the traffic. Change it to:

> nat (inside) 1 0.0.0.0 0.0.0.0

and you should be right.