Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
317
Views
0
Helpful
2
Replies

Lost Remote Access to Internal Network after upgarding PIX to 7.0

Go to solution
rpw5354
Level 1
Level 1

‎10-04-2005 08:47 AM - edited ‎02-21-2020 12:26 AM

I upgraded our Cisco 515E PIX box to version 7.0 from 6.3(5) and lost connectivity to out internal servers through a VPN connection. Any ideas as to why or how this happened?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
lhiatt
Level 1
Level 1

‎10-05-2005 02:55 AM

If you are using split tunneling, this is probably the issue.

The Bug id is : CSCeh69389

This Bug says :

When upgrading a PIX 6.x to 7.0, if split-tunneling is being

used for Remote Access clients, then the config conversion

process will not convert the split-tunnel list command, because

in 6.x the split-tunnel ACL was allowed to be of type 'extended'

whereas in 7.0 the ACL must be of type 'standard'.

To resolve the issue, take the extended ACL and manually convert it to a

standard ACL, specifying the networks you want encrypted. Once

the new ACL is in the config, it must be applied under the

group-policy.

EX:

access-list SplitTunnel standard permit 10.1.1.0 255.255.255.0

group-policy RemoteAccess internal

group-policy RemoteAccess attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel

View solution in original post

0 Helpful
2 Replies 2

Go to solution
lhiatt
Level 1
Level 1

‎10-05-2005 02:55 AM

If you are using split tunneling, this is probably the issue.

The Bug id is : CSCeh69389

This Bug says :

When upgrading a PIX 6.x to 7.0, if split-tunneling is being

used for Remote Access clients, then the config conversion

process will not convert the split-tunnel list command, because

in 6.x the split-tunnel ACL was allowed to be of type 'extended'

whereas in 7.0 the ACL must be of type 'standard'.

To resolve the issue, take the extended ACL and manually convert it to a

standard ACL, specifying the networks you want encrypted. Once

the new ACL is in the config, it must be applied under the

group-policy.

EX:

access-list SplitTunnel standard permit 10.1.1.0 255.255.255.0

group-policy RemoteAccess internal

group-policy RemoteAccess attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel

0 Helpful

Go to solution
rpw5354
Level 1
Level 1
In response to lhiatt

‎10-12-2005 04:07 AM

Do I have to convert all my access-list commands that are extended to standard or just the one access-list command that pertains to my VPN?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card