10-04-2005 08:47 AM - edited 02-21-2020 12:26 AM
I upgraded our Cisco 515E PIX box to version 7.0 from 6.3(5) and lost connectivity to out internal servers through a VPN connection. Any ideas as to why or how this happened?
Solved! Go to Solution.
10-05-2005 02:55 AM
If you are using split tunneling, this is probably the issue.
The Bug id is : CSCeh69389
This Bug says :
When upgrading a PIX 6.x to 7.0, if split-tunneling is being
used for Remote Access clients, then the config conversion
process will not convert the split-tunnel list command, because
in 6.x the split-tunnel ACL was allowed to be of type 'extended'
whereas in 7.0 the ACL must be of type 'standard'.
To resolve the issue, take the extended ACL and manually convert it to a
standard ACL, specifying the networks you want encrypted. Once
the new ACL is in the config, it must be applied under the
group-policy.
EX:
access-list SplitTunnel standard permit 10.1.1.0 255.255.255.0
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel
10-05-2005 02:55 AM
If you are using split tunneling, this is probably the issue.
The Bug id is : CSCeh69389
This Bug says :
When upgrading a PIX 6.x to 7.0, if split-tunneling is being
used for Remote Access clients, then the config conversion
process will not convert the split-tunnel list command, because
in 6.x the split-tunnel ACL was allowed to be of type 'extended'
whereas in 7.0 the ACL must be of type 'standard'.
To resolve the issue, take the extended ACL and manually convert it to a
standard ACL, specifying the networks you want encrypted. Once
the new ACL is in the config, it must be applied under the
group-policy.
EX:
access-list SplitTunnel standard permit 10.1.1.0 255.255.255.0
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel
10-12-2005 04:07 AM
Do I have to convert all my access-list commands that are extended to standard or just the one access-list command that pertains to my VPN?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide